Entra Admin Roles Query

// Exposure Management - Entra Admin Roles Query // https://www.linkedin.com/posts/activity-7189252312106700800-boXn/ // This KQL is even better than Entra PIM Dashboard! 😎 Just run this KQL in DefenderXDR Advanced Hunting, it will instantly tell you how many admin roles has been assigned out. If you comment out the last line of the KQL code, it will give you a comprehensive view of each admin and the number of roles assigned to him/her. Now with this roles assignment information available, you can also combine composite threat hunting KQL inclusive of admin roles 🤯 ExposureGraphNodes | where set_has_element(Categories, "identity") | extend AccountUPN = NodeProperties.rawData.accountUpn | extend AdminRoles = NodeProperties.rawData.assignedRoles | extend NumberofRoles = array_length(AdminRoles) | where NumberofRoles > 0 | summarize TotalRolesAssigned = sum(NumberofRoles)

Explanation

This KQL query is designed to be run in DefenderXDR Advanced Hunting to quickly determine how many administrative roles have been assigned within your organization. Here's a simple breakdown of what it does:

Filter for Identity Nodes: It looks at nodes categorized as "identity".
Extract Information: It extracts the user principal name (UPN) and the list of assigned admin roles for each identity.
Count Roles: It calculates the number of admin roles assigned to each identity.
Filter Non-Zero Roles: It filters out identities that have no admin roles assigned.
Summarize Total Roles: It sums up the total number of admin roles assigned across all identities.

If you comment out the last line (| summarize TotalRolesAssigned = sum(NumberofRoles)), the query will provide a detailed view of each admin and the number of roles assigned to them, rather than just the total count. This information can be useful for further threat hunting and analysis involving admin roles.

KQL Search

Entra Admin Roles Query

Query

Explanation

Details

Actions