Azure Service Principal Addedto Azure
Query
//Detect when an Azure AD service principal is given access to an Azure RBAC scope, i.e contributor to a subscription or resource group
//Data connector required for this query - Azure Activity
AzureActivity
| where OperationNameValue == "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
| extend ServicePrincipalObjectId = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).Properties)).PrincipalId)
| extend ServicePrincipalType = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).Properties)).PrincipalType)
| extend Scope = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).Properties)).Scope)
| extend RoleAdded = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).Properties)).RoleDefinitionId)
| extend Actor = tostring(Properties_d.caller)
| where ServicePrincipalType == "ServicePrincipal"
| project TimeGenerated, RoleAdded, Scope, ServicePrincipalObjectId, ActorExplanation
This query detects when an Azure AD service principal is given access to an Azure RBAC scope, such as being assigned the contributor role for a subscription or resource group. It uses the Azure Activity data connector and filters for the "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" operation. It extracts information about the service principal, scope, role added, and actor from the request body and projects the time generated, role added, scope, service principal object ID, and actor.
Details

Matt Zorich
Released: June 17, 2022
Tables
AzureActivity
Keywords
AzureActivityOperationNameValueMICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITEProperties_d.requestbodyPropertiesPrincipalIdPrincipalTypeScopeRoleDefinitionIdActor
Operators
whereextendtostringparse_jsonProperties_dPropertiesproject