Detect PIM Elevation With User Risk
Query
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName contains "PIM activation" and OperationName contains "completed"
| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalNameAbout this query
Detect PIM elevation with user risk
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1548 | Abuse Elevation Control Mechanism | https://attack.mitre.org/techniques/T1548/ |
Description
When an account with eligible roles in Entra ID is compromised, the attacker will probably escalate their privileges via Microsoft PIM. With this rule you can detect when a risky user is elevating their privileges with PIM.
Risk
Detect a compromised account with eligible roles.
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Microsoft Sentinel
Defender XDR
CloudAppEvents
| where TimeGenerated > ago(1h)
| where ActionType == "Add member to role."
| extend UserPrincipalName = tostring(RawEventData.ObjectId)
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalName
Explanation
This query is designed to detect potentially compromised user accounts that are elevating their privileges using Microsoft Privileged Identity Management (PIM). Here's a simple breakdown of what each part of the query does:
-
Data Source: The query is run on two different data sources:
AuditLogsfor Microsoft Sentinel andCloudAppEventsfor Defender XDR. -
Time Frame: It looks at events that occurred in the last hour (
TimeGenerated > ago(1h)) for privilege elevation activities and in the last day (TimeGenerated > ago(1d)) for user risk events. -
Privilege Elevation Detection:
- In Microsoft Sentinel, it checks for operations where PIM activation was completed.
- In Defender XDR, it looks for actions where a member was added to a role.
-
User Risk Detection: It joins the results with
AADUserRiskEventsto find users who have been flagged as risky within the last day. -
Output: The query identifies users who have both elevated their privileges and have been marked as risky, indicating a potential security threat.
Overall, this query helps security teams identify and respond to potential security incidents where a risky user account is being used to gain higher access privileges, which could indicate an account compromise.
Details

Robbe Van den Daele
Released: January 12, 2026
Tables
Keywords
Operators
MITRE Techniques