KQL Search

Query Details

HomeAI ToolsDevice Query

Entra ID Disabled Userswith Priv Roles

Query

# Defender for Identity - Disabled Accounts with Privileged Roles

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1110.003 | Credential Access: Brute Force: Password Spraying | https://attack.mitre.org/techniques/T1110/003/ |

### Description

Use the below query to identify ***disabled*** identities with privileged roles assigned.

#### References

### Microsoft Defender XDR

```kql
IdentityInfo
| summarize arg_max(Timestamp,*) by AccountObjectId
| where isnotempty( AssignedRoles) or isnotempty( PrivilegedEntraPimRoles)
| where AssignedRoles != '[]'
| where IsAccountEnabled == false
| project AccountName, AccountDomain, AccountDisplayName, AccountObjectId, OnPremSid, CriticalityLevel, IsAccountEnabled, PrivilegedEntraPimRoles, AssignedRoles, SourceProvider, Type
```

Explanation

This query is designed to identify disabled user accounts that still have privileged roles assigned to them within a system monitored by Microsoft Defender for Identity. Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from the IdentityInfo table, which contains information about user accounts.

  2. Latest Record Selection: The query summarizes the data to get the most recent record for each account, identified by AccountObjectId.

  3. Role Check: It filters the accounts to find those that have either AssignedRoles or PrivilegedEntraPimRoles that are not empty, meaning the account has some form of privileged role assigned.

  4. Disabled Accounts: It further filters the results to include only those accounts where IsAccountEnabled is false, indicating that the account is disabled.

  5. Output: The query projects (selects) specific fields to display, such as the account's name, domain, display name, object ID, on-premises SID, criticality level, whether the account is enabled, privileged roles, assigned roles, source provider, and type.

In summary, this query helps security teams identify disabled accounts that still have privileged roles, which could be a security risk if not managed properly.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 15, 2025

Tables

IdentityInfo

Keywords

DefenderIdentityAccountsRoles

Operators

summarizearg_maxbywhereisnotemptyor!===falseproject

Actions