Query Details

KQL Detection: Global Administrator Elevation to User Access Administrator

Azure RBAC Elevation Via User Access Admin Toggle

Query

AuditLogs
| where Category == "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName == "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.displayName)
| extend ActorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorId = tostring(InitiatedBy.user.id)
| extend Operation = tostring(OperationName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| extend AppId = tostring(InitiatedBy.app.appId)
| project TimeGenerated, ActivityDisplayName, Category, Operation, Actor, ActorUPN, ActorId, IPAddress, AppId, Result, ResultReason, CorrelationId
| order by TimeGenerated desc

About this query

Explanation

This document explains a KQL query designed to detect when a Global Administrator in Microsoft Entra ID elevates their access to become a User Access Administrator across all Azure resources. This action is significant because it grants the administrator broad access to manage all Azure subscriptions and management groups, potentially bypassing security principles like least privilege.

Key Points:

  1. Purpose: The query identifies when a Global Administrator uses a specific feature to gain extensive access, which should be monitored closely due to its high impact if misused.

  2. Prerequisites:

    • Entra ID Audit Logs must be sent to a Log Analytics workspace.
    • The workspace should have the AuditLogs table.
    • Appropriate permissions are required to run the query.
  3. Query Functionality:

    • Filters logs to find specific elevation actions.
    • Extracts details about the user and context of the action.
    • Displays relevant information like user details, operation name, and IP address.
    • Sorts results by the most recent events.
  4. Running the Query:

    • Can be executed in Azure Monitor Log Analytics or Microsoft Sentinel.
    • Useful for both ad-hoc investigations and as part of a scheduled monitoring rule.
  5. Interpreting Results:

    • Each result represents an elevation event.
    • Important columns include the time of the event, user details, and operation success.
    • Follow-up actions include verifying the legitimacy of the elevation and checking for any suspicious activity.
  6. Analytics Rule:

    • The query can be used to create a scheduled rule in Microsoft Sentinel to continuously monitor for such elevation actions and generate alerts.
  7. Limitations:

    • The query relies on the presence of specific audit logs.
    • May require updates if service changes alter log formats or values.

This query is a critical tool for security teams to ensure that any elevation of access by Global Administrators is legitimate and does not pose a security risk.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureRBACRoleManagementElevateAccessUserAccessAdministratorAzureResourcesGlobalEntraIDLogAnalyticsMicrosoftSentinelActorActorUPNActorIdOperationIPAddressAppIdResultResultReasonCorrelationId

Operators

AuditLogswhereCategory==ActivityDisplayNameextendtostringInitiatedBy.user.displayNameInitiatedBy.user.userPrincipalNameInitiatedBy.user.idOperationNameInitiatedBy.user.ipAddressInitiatedBy.app.appIdprojectTimeGeneratedorder bydesc

Actions

GitHub