Query Details
Audit Group Addedto PIM
Query
//Find when an Azure AD group is assigned (either permanent or eligble) to an Azure AD PIM assignment
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where OperationName in ("Add eligible member to role in PIM completed (permanent)", "Add member to role in PIM completed (permanent)")
| where TargetResources[2].type == "Group"
| extend GroupName = tostring(TargetResources[2].displayName)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName)
| project TimeGenerated, OperationName, Actor, GroupName, ['Azure AD Role Name']Explanation
This query looks for instances when an Azure AD group is assigned to an Azure AD PIM assignment, either permanently or as eligible. It uses the Azure Active Directory - Audit Logs data connector. The query filters for specific operation names related to adding members to PIM roles, checks if the target resource is a group, and extracts relevant information such as the group name, actor (user who initiated the assignment), and the Azure AD role name. The final result includes the time generated, operation name, actor, group name, and Azure AD role name.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AzureADGroup,AzureADPIMAssignment,DataConnector,AuditLogs,OperationName,AddeligiblemembertoroleinPIMcompleted(permanent),AddmembertoroleinPIMcompleted(permanent),TargetResources,Group,GroupName,Actor,InitiatedBy.user,userPrincipalName,AzureADRoleName,TimeGenerated
Operators
wherein==extendtostringparse_jsonproject