Query Details
Entra Administrative Units
Query
# Entra ID - Administrative Units
## Query Information
### Description
Queries for Entra ID Administrtive Units related activities
#### References
- [Administrative units in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units)
- [Protection of privileged users and groups by Azure AD Restricted Management Administrative Units](https://www.cloud-architekt.net/restricted-management-administrative-unit/)
- [Monitoring Restricted Management Administrative Units Abuse](https://github.com/SlimKQL/Hunting-Queries-Detection-Rules/blob/4158320dc80ea58891c043321e293b21458d00b5/Sentinel/Monitoring%20restricted%20management%20administrative%20units%20abuse.kql)
- [Exploring Entra ID Restricted Management Administrative Units with KQL](https://kaidojarvemets.com/exploring-azure-active-directorys-restricted-management-administrative-units-with-kql/)
### Microsoft Defender XDR / Sentinel
Entra ID Audit log
```kql
let monitoredOperations = dynamic([
"Add member to administrative unit",
"Add member to role scoped over Restricted Management Administrative Unit",
"Remove member from role scoped over Restricted Management Administrative Unit",
"Add member to restricted management administrative unit",
"Remove member from restricted management administrative unit"
]);
AuditLogs
| where OperationName in~ (monitoredOperations)
```
CloudAppEvents (Defender for Cloud Apps Connector) (note the . (dot) at the end of the ActionTpe name)
```kql
let monitoredOperations = dynamic([
"Add member to administrative unit.",
"Add member to role scoped over Restricted Management Administrative Unit.",
"Remove member from role scoped over Restricted Management Administrative Unit.",
"Add member to restricted management administrative unit.",
"Remove member from restricted management administrative unit."
]);
CloudAppEvents
| where ActionType in~ (monitoredOperations)
```
Explanation
This query is designed to monitor specific activities related to Administrative Units in Microsoft Entra ID, which is part of Azure Active Directory. The query focuses on tracking certain operations that involve adding or removing members from administrative units or roles within these units, especially those with restricted management capabilities.
Here's a simplified breakdown of what the query does:
-
Monitored Operations: The query defines a list of specific operations to monitor. These operations include:
- Adding a member to an administrative unit.
- Adding or removing a member from a role that is scoped over a Restricted Management Administrative Unit.
- Adding or removing a member from a restricted management administrative unit.
-
Data Sources:
- AuditLogs: This part of the query checks the Entra ID Audit logs to find any of the specified operations.
- CloudAppEvents: This part of the query checks events from the Defender for Cloud Apps Connector for the same operations, noting that the action type names have a trailing period.
-
Purpose: The query is used to detect and monitor changes in administrative units, particularly those that could affect the security and management of privileged users and groups. This is crucial for maintaining security and compliance within an organization's Azure environment.
Overall, the query helps administrators keep track of important changes in administrative units, ensuring that any unauthorized or suspicious activities are quickly identified and addressed.
Details
Alex Verboon
Released: May 10, 2025
Tables
Keywords
Operators