Query Details
Audit Summarize Weekly PIM
Query
//Create a summary of PIM activations for all your users per week
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where TimeGenerated > ago (30d)
| where OperationName == "Add member to role completed (PIM activation)"
| extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend Role = tostring(TargetResources[0].displayName)
| where isnotempty(User)
| summarize
['Roles Activated']=make_list(Role),
['Times Activated']=make_list(TimeGenerated)
by User, ['Week Starting']=startofweek(TimeGenerated)
| sort by User asc, ['Week Starting'] desc Explanation
This query retrieves data from the Azure Active Directory Audit Logs to create a summary of PIM activations for all users per week. It filters the logs for PIM activation events, extracts the user and role information, and groups the activations by user and the starting week. The result includes the list of roles activated and the corresponding times activated, sorted by user and week starting date.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Devices,Intune,User
Operators
whereago==extendtostringparse_jsonisnotemptysummarizemake_listbysort