KQL Search

Query Details

HomeAI ToolsDevice Query

Entra ID Administrative Role AD Sync

Query

// Entra ID Administrative Role (AD-Sync)

IdentityInfo
| where Timestamp > ago(30d)
| where AssignedRoles != ""
| mv-expand AssignedRoles
| extend EntraAdminRole = tostring(AssignedRoles)
| where OnPremSid != ""
| distinct EntraAdminRole, AccountUpn
| where AccountUpn != ""
| sort by EntraAdminRole asc

Explanation

This KQL query retrieves and processes information about administrative roles assigned to identities within the last 30 days. Here's a simple summary:

  1. Filter Data: It starts by filtering records from the IdentityInfo table to include only those from the past 30 days.
  2. Check Assigned Roles: It then ensures that only records with assigned roles are considered.
  3. Expand Roles: For entries with multiple roles, it separates them into individual records.
  4. Convert to String: Each role is converted to a string and labeled as EntraAdminRole.
  5. Filter On-Premises IDs: It filters out records without an on-premises SID.
  6. Select Unique Pairs: It selects unique combinations of EntraAdminRole and AccountUpn.
  7. Filter Account UPNs: It ensures that only records with a non-empty AccountUpn are included.
  8. Sort Results: Finally, it sorts the results by the EntraAdminRole in ascending order.

In essence, this query identifies unique user accounts with specific administrative roles assigned in the last 30 days, ensuring all necessary fields are present and sorting the results by role.

Details

Steven Lim profile picture

Steven Lim

Released: August 21, 2024

Tables

IdentityInfo

Keywords

IdentityInfoEntraAdminRoleAccountUpnTimestampAssignedRolesOnPremSid

Operators

|>ago!=mv-expandextendtostringdistinctsort byasc

Actions