Audit User Addedto Role Outside PIM
Query
//Alert when a user is added directly to an Azure AD role, bypassing PIM
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where OperationName has "Add member to role outside of PIM"
| extend RoleName = tostring(TargetResources[0].displayName)
| extend UserAdded = tostring(TargetResources[2].displayName)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, OperationName, RoleName, UserAdded, ActorExplanation
This query is looking for instances where a user is added directly to an Azure AD role without going through Privileged Identity Management (PIM). It uses the Azure Active Directory - Audit Logs data connector. The query retrieves the time the event occurred, the operation name, the name of the role the user was added to, the name of the user added, and the name of the person who initiated the action.
Details

Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogsOperationNameAdd member to role outside of PIMRoleNameUserAddedActorTimeGenerated
Operators
wherehasextendtostringparse_jsonproject