Query Details
Audit Summarize PIM Roles Activated
Query
//Summarize and visualize the roles being activated in Azure AD PIM //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where TimeGenerated > ago(30d) | where OperationName == "Add member to role completed (PIM activation)" | extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName) | summarize Count=count()by ['Azure AD Role Name'] | sort by Count | render barchart with (title="Count of Azure AD PIM activations by role")
Explanation
This query summarizes and visualizes the roles that are being activated in Azure AD PIM (Privileged Identity Management). It uses the Azure Active Directory - Audit Logs data connector. The query filters the audit logs for the past 30 days and selects only the "Add member to role completed (PIM activation)" operations. It then extends the result to include the display name of the Azure AD role and summarizes the count of activations for each role. The results are sorted by count and rendered as a bar chart with the title "Count of Azure AD PIM activations by role".
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Azure,AD,PIM,AuditLogs,TimeGenerated,OperationName,Addmembertorolecompleted(PIMactivation),TargetResources,displayName,Count,render,barchart,title
Operators
whereago==extendtostringsummarizecountbysortrender