Query Details

Defender for Identity - Disabled Accounts with Privileged Roles

Entra ID Disabled Userswith Priv Roles

Query

IdentityInfo
| summarize arg_max(Timestamp,*) by AccountObjectId
| where isnotempty( AssignedRoles) or isnotempty( PrivilegedEntraPimRoles)
| where AssignedRoles != '[]'
| where IsAccountEnabled == false
| project AccountName, AccountDomain, AccountDisplayName, AccountObjectId, OnPremSid, CriticalityLevel, IsAccountEnabled, PrivilegedEntraPimRoles, AssignedRoles, SourceProvider, Type

About this query

Defender for Identity - Disabled Accounts with Privileged Roles

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1110.003Credential Access: Brute Force: Password Sprayinghttps://attack.mitre.org/techniques/T1110/003/

Description

Use the below query to identify disabled identities with privileged roles assigned.

References

Microsoft Defender XDR

Explanation

This query is designed to identify disabled user accounts that still have privileged roles assigned to them within a system monitored by Microsoft Defender for Identity. Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from the IdentityInfo table, which contains information about user accounts.

  2. Latest Record Selection: The query summarizes the data to get the most recent record for each account, identified by AccountObjectId.

  3. Role Check: It filters the accounts to find those that have either AssignedRoles or PrivilegedEntraPimRoles that are not empty, meaning the account has some form of privileged role assigned.

  4. Disabled Accounts: It further filters the results to include only those accounts where IsAccountEnabled is false, indicating that the account is disabled.

  5. Output: The query projects (selects) specific fields to display, such as the account's name, domain, display name, object ID, on-premises SID, criticality level, whether the account is enabled, privileged roles, assigned roles, source provider, and type.

In summary, this query helps security teams identify disabled accounts that still have privileged roles, which could be a security risk if not managed properly.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 15, 2025

Tables

IdentityInfo

Keywords

DefenderIdentityAccountsRoles

Operators

summarizearg_maxbywhereisnotemptyor!===falseproject

MITRE Techniques

Actions

GitHub