KQL Search

Query Details

HomeAI ToolsDevice Query

Entra ID PIM Role Activations

Query

# Entra ID - PIM Role Activations

## Query Information

### Description

Use the below query to audit PIM Role Activations

#### References

### Microsoft Sentinel

```kql
AuditLogs
| where OperationName == "Add member to role completed (PIM activation)"
| project TimeGenerated, OperationName, Identity, ResultDescription, TargetResources, CorrelationId
| extend tr = todynamic(TargetResources)
| mv-expand tr
| extend itemType    = tostring(tr.type),
         itemDisplay = tostring(tr.displayName)
| where itemType in ("Role", "Group")
| summarize
        RoleName  = take_anyif(itemDisplay, itemType == "Role"),
        GroupName = take_anyif(itemDisplay, itemType == "Group")
    by TimeGenerated, CorrelationId, ResultDescription, Identity
| project TimeGenerated,Identity, ResultDescription, RoleName, GroupName
```

Explanation

This KQL (Kusto Query Language) query is designed to audit Privileged Identity Management (PIM) role activations within Microsoft Entra ID (formerly Azure Active Directory). Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the AuditLogs table, which contains logs of various operations.

  2. Filter: It filters the logs to find entries where the operation name is "Add member to role completed (PIM activation)". This means it is specifically looking for logs related to the completion of adding a member to a role through PIM activation.

  3. Select Columns: It selects specific columns to work with: TimeGenerated, OperationName, Identity, ResultDescription, TargetResources, and CorrelationId.

  4. Expand Resources: The TargetResources column, which contains JSON data, is converted into a dynamic type and expanded to handle multiple entries.

  5. Extract Details: For each expanded resource, it extracts the type and display name, storing them as itemType and itemDisplay.

  6. Filter by Type: It filters the resources to only include those of type "Role" or "Group".

  7. Summarize: It summarizes the data by TimeGenerated, CorrelationId, ResultDescription, and Identity, and for each group, it selects any role or group name found.

  8. Final Output: Finally, it projects (selects) the columns TimeGenerated, Identity, ResultDescription, RoleName, and GroupName for the output.

In summary, this query audits PIM role activations by extracting and displaying relevant information about when and by whom roles or groups were activated, along with the results of those activations.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 15, 2025

Tables

AuditLogs

Keywords

AuditLogs

Operators

whereprojectextendmv-expandtostringinsummarizetake_anyifby

Actions