Defender for Identity - Disabled Accounts with Privileged Roles
Entra ID Disabled Userswith Priv Roles
Query
IdentityInfo
| summarize arg_max(Timestamp,*) by AccountObjectId
| where isnotempty( AssignedRoles) or isnotempty( PrivilegedEntraPimRoles)
| where AssignedRoles != '[]'
| where IsAccountEnabled == false
| project AccountName, AccountDomain, AccountDisplayName, AccountObjectId, OnPremSid, CriticalityLevel, IsAccountEnabled, PrivilegedEntraPimRoles, AssignedRoles, SourceProvider, TypeAbout this query
Defender for Identity - Disabled Accounts with Privileged Roles
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1110.003 | Credential Access: Brute Force: Password Spraying | https://attack.mitre.org/techniques/T1110/003/ |
Description
Use the below query to identify disabled identities with privileged roles assigned.
References
Microsoft Defender XDR
Explanation
This query is designed to identify disabled user accounts that still have privileged roles assigned to them within a system monitored by Microsoft Defender for Identity. Here's a simple breakdown of what the query does:
-
Data Source: It uses data from the
IdentityInfotable, which contains information about user accounts. -
Latest Record Selection: The query summarizes the data to get the most recent record for each account, identified by
AccountObjectId. -
Role Check: It filters the accounts to find those that have either
AssignedRolesorPrivilegedEntraPimRolesthat are not empty, meaning the account has some form of privileged role assigned. -
Disabled Accounts: It further filters the results to include only those accounts where
IsAccountEnabledis false, indicating that the account is disabled. -
Output: The query projects (selects) specific fields to display, such as the account's name, domain, display name, object ID, on-premises SID, criticality level, whether the account is enabled, privileged roles, assigned roles, source provider, and type.
In summary, this query helps security teams identify disabled accounts that still have privileged roles, which could be a security risk if not managed properly.
