KQL Search

Query Details

HomeAI ToolsDevice Query

Azure AD PIM Group Members

Query

# Entra ID - PIM Group Members

## Query Information

### Description

Use the below query to list all the Entra ID Group Members. 

#### References


### Microsoft Sentinel

List all the members of a Group, in this case the Group Name pattern relates to the groups that are used in combination with Entra ID PIM

>> consider adjusting the GroupName pattern. 

```kql
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand GroupMembership
| extend GroupName = tostring(GroupMembership)
| where GroupName startswith "AAD-SG-Role-"
| summarize GroupMembers = make_set(AccountUPN), TotalUsers = dcount(AccountUPN) by GroupName
| project GroupName, TotalUsers, GroupMembers
```

Explanation

This KQL (Kusto Query Language) query is designed to list all members of specific Entra ID groups, particularly those used with Entra ID Privileged Identity Management (PIM). Here's a simple breakdown of what the query does:

  1. Data Source: It starts by accessing the IdentityInfo table, which contains information about identities and their group memberships.

  2. Time Filter: It filters the data to include only records generated in the last 14 days.

  3. Latest Record Selection: For each unique account (identified by AccountObjectId), it selects the most recent record based on the TimeGenerated timestamp.

  4. Expand Group Memberships: It expands the group membership details for each account, allowing further analysis on individual group memberships.

  5. Filter by Group Name: It filters the groups to include only those whose names start with "AAD-SG-Role-", which is a naming pattern for groups associated with Entra ID PIM.

  6. Summarize Members: For each group, it creates a list of unique user principal names (AccountUPN) of the members and counts the total number of unique users.

  7. Output: Finally, it projects (selects) the group name, total number of users, and the list of group members for each group.

In summary, this query identifies and lists members of specific Entra ID groups used with PIM, showing how many users are in each group and who they are, based on recent data.

Details

Alex Verboon profile picture

Alex Verboon

Released: January 22, 2025

Tables

IdentityInfo

Keywords

EntraIDGroupMembers

Operators

wheresummarizearg_maxmv-expandextendstartswithmake_setdcountprojecttostringago

Actions