Az Rbac Assignments Of Risky User

AADRiskyUsers | where RiskLevel == "high" and RiskState == "atRisk" | extend principalId = tostring(Id) | join hint.remote=left (arg("").authorizationresources | where type =~ 'microsoft.authorization/roleassignments' | extend roleDefinitionId = properties.roleDefinitionId | extend principalType = properties.principalType | extend principalId = tostring(properties.principalId) | extend roleAssignmentScope = properties.scope | project principalId, roleDefinitionId, roleAssignmentScope ) on principalId | project UserDisplayName, RiskDetail, RiskLevel, RiskState, roleAssignmentScope, roleDefinitionId

Explanation

This query is looking for high-risk users in Azure Active Directory (AAD). It filters the AADRiskyUsers table to only include users with a RiskLevel of "high" and a RiskState of "atRisk". It then extends the table to include a new column called principalId, which is the Id column converted to a string.

The query then performs a join operation with another table called authorizationresources. This table is filtered to only include role assignments of type "microsoft.authorization/roleassignments". It extends the table to include additional columns such as roleDefinitionId, principalType, principalId, and roleAssignmentScope.

The join is performed on the principalId column, and the resulting table is projected to include columns such as UserDisplayName, RiskDetail, RiskLevel, RiskState, roleAssignmentScope, and roleDefinitionId.

Details

Thomas Naunheim

Released: September 5, 2023

Tables

AADRiskyUsersarg("").authorizationresources

Keywords

AADRiskyUsers,RiskLevel,RiskState,principalId,Id,authorizationresources,type,microsoft.authorization/roleassignments,roleDefinitionId,principalType,principalId,roleAssignmentScope,UserDisplayName,RiskDetail

Operators

where==andextendtostringjoinhint.remote=leftarg("")|where=~extendextendextendextendextendproject

KQL Search