Query Details
Azure Service Principal Addedto Azure
Query
//Detect when an Azure AD service principal is given access to an Azure RBAC scope, i.e contributor to a subscription or resource group //Data connector required for this query - Azure Activity AzureActivity | where OperationNameValue == "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" | extend ServicePrincipalObjectId = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).Properties)).PrincipalId) | extend ServicePrincipalType = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).Properties)).PrincipalType) | extend Scope = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).Properties)).Scope) | extend RoleAdded = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).Properties)).RoleDefinitionId) | extend Actor = tostring(Properties_d.caller) | where ServicePrincipalType == "ServicePrincipal" | project TimeGenerated, RoleAdded, Scope, ServicePrincipalObjectId, Actor
Explanation
This query detects when an Azure AD service principal is given access to an Azure RBAC scope, such as being assigned the contributor role for a subscription or resource group. It uses the Azure Activity data connector and filters for the "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" operation. It extracts information about the service principal, scope, role added, and actor from the request body and projects the time generated, role added, scope, service principal object ID, and actor.
Details
Matt Zorich
Released: June 17, 2022
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE,Properties_d.requestbody,Properties,PrincipalId,PrincipalType,Scope,RoleDefinitionId,Actor
Operators
whereextendtostringparse_jsonProperties_dPropertiesproject