Microsoft Security Exposure Management - Managed Identity
EEG Managed Identity
Query
ExposureGraphNodes
| where NodeLabel == @"managedidentity"
| extend Type = tostring(type = parse_json(NodeProperties).rawData.managedIdentityMetadata.type)
| extend name = tostring(parse_json(NodeProperties).rawData.identityMetadata.data.name)
| extend accountType = tostring(parse_json(NodeProperties).rawData.managedIdentityMetadata.data.accountType)
| extend AadObjectId = NodeName
| extend attachedResourceId = parse_json(NodeProperties).rawData.managedIdentityMetadata.data.attachedResourceId
| project Type, name, accountType, attachedResourceId, AadObjectIdAbout this query
Microsoft Security Exposure Management - Managed Identity
Query Information
Description
Use the below queries to retrieve Entra ID managed Identity from the enterprise exposure graph.
References
Microsoft Defender XDR
Retrieve Entra ID - Managed Identity data
Explanation
This query retrieves Entra ID managed Identity data from the enterprise exposure graph in Microsoft Security Exposure Management. It filters the ExposureGraphNodes for NodeLabel "managedidentity" and extracts information like Type, name, accountType, attachedResourceId, and AadObjectId.
Details

Alex Verboon
Released: March 14, 2024
Tables
ExposureGraphNodes
Keywords
ExposureGraphNodesNodeLabelTypenameaccountTypeAadObjectIdattachedResourceId
Operators
ExposureGraphNodeswhereextendtostringparse_jsonproject