Entra ID PIM Role Setting Changes

# EntraID - Privileged Identity Management - Role Settings Changes ## Query Information ### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1098.003 | Account Manipulation: Additional Cloud Roles | https://attack.mitre.org/techniques/T1098/003/ | ### Description Use the below query to retrieve EntraID - Privileged Identity Management - Role Settings Changes MFA on activation requirement (enabled/disabled) Ticket info requirement (enabled/disabled) Approval (enabled/disabled) Approval enabled with approvers Approver settings - Default recipients settings disabled Maximum active assignment duration set to (Days) Maximum eligible assignment duration set to (Days) MFA on active assignment requirement (enabled/disabled) Notification updates in eligible members activate the role - Admin settings - Default recipients settings (enabled/disabled) Notification updates in members are assigned as active to the role - Admin settings - Default recipients settings (enabled/disabled) Notification updates in members are assigned as eligible to the role - Admin settings - Default recipients settings (enabled/disabled) Notification updates in members are assigned as eligible to the role - Admin settings - Default recipients settings (enabled/disabled) Permanently active assignments (enabled/disabled) Permanently eligible assignments (enableddisabled) Requestor settings - Default recipients settings (enabled/disabled) #### References - [Microsoft Entra Privileged Identity Management](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure) ### Microsoft Sentinel ```kql AuditLogs | where Category == "RoleManagement" | where OperationName == "Update role setting in PIM" | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend Role = tostring(TargetResources[0].displayName) | mv-apply item = AdditionalDetails on ( where tostring(item.key) == "ipaddr" | extend ipaddr = tostring(item.value) ) | mv-apply item = AdditionalDetails on ( where tostring(item.key) == "UserAgent" | extend UserAgent = tostring(item.value) ) | extend geo_ip = tostring(geo_info_from_ip_address(ipaddr)) | sort by TimeGenerated asc | sort by TimeGenerated asc | extend ChangedSettings = replace("Setting changes in this session: ", "", tostring(ResultReason)) | extend ModifiedSettings = extract_all(@"(.*?)\.", ChangedSettings) | project-away ChangedSettings | project TimeGenerated, Role, ResultReason, ModifiedSettings, userPrincipalName, Identity, ipaddr, UserAgent, geo_ip, CorrelationId ``` Only list events where ***MFA on activation requirement*** was changed ```kql AuditLogs | where Category == "RoleManagement" | where OperationName == "Update role setting in PIM" | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend Role = tostring(TargetResources[0].displayName) | mv-apply item = AdditionalDetails on ( where tostring(item.key) == "ipaddr" | extend ipaddr = tostring(item.value) ) | mv-apply item = AdditionalDetails on ( where tostring(item.key) == "UserAgent" | extend UserAgent = tostring(item.value) ) | extend geo_ip = tostring(geo_info_from_ip_address(ipaddr)) | sort by TimeGenerated asc | sort by TimeGenerated asc | extend ChangedSettings = replace("Setting changes in this session: ", "", tostring(ResultReason)) | extend ModifiedSettings = extract_all(@"(.*?)\.", ChangedSettings) | project-away ChangedSettings | project TimeGenerated, Role, ResultReason, ModifiedSettings, userPrincipalName, Identity, ipaddr, UserAgent, geo_ip, CorrelationId | where ModifiedSettings has_any ("MFA on activation requirement") ```

Explanation

This query is designed to track changes in role settings within Microsoft's EntraID Privileged Identity Management (PIM). Specifically, it focuses on identifying when the "MFA on activation requirement" setting is altered. Here's a simplified breakdown of what the query does:

Data Source: It pulls data from the AuditLogs table, specifically looking for logs categorized under "RoleManagement" and operations named "Update role setting in PIM."
User Information: It extracts the userPrincipalName of the person who initiated the change.
Role Information: It identifies which role's settings were changed by extracting the role's display name.
Additional Details:
- It retrieves the IP address (ipaddr) and user agent (UserAgent) from the additional details of the log entry.
- It uses the IP address to determine the geographical location (geo_ip).
Change Details:
- It processes the ResultReason to identify what settings were changed during the session.
- It specifically looks for changes related to "MFA on activation requirement."
Output: The query outputs a list of events with details such as the time of the change, the role affected, the reason for the result, the modified settings, the user who made the change, their identity, IP address, user agent, geographical location, and a correlation ID for tracking.
Filtering: Finally, it filters the results to only include events where the "MFA on activation requirement" setting was changed.

This query helps administrators monitor and audit changes to critical security settings in their identity management system, ensuring that any modifications to multi-factor authentication requirements are tracked and reviewed.

Details

Alex Verboon

Released: May 24, 2025

Tables

AuditLogs

Keywords

EntraIDPrivilegedIdentityManagementRoleSettingsChangesMFAActivationRequirementAuditLogsRoleManagementUpdateRoleSettingPIMUserPrincipalNameRoleTargetResourcesAdditionalDetailsIpaddrUserAgentGeoIpTimeGeneratedResultReasonModifiedSettingsIdentityCorrelationId

Operators

AuditLogswhereextendtostringparse_jsonmv-applyonsort byreplaceextract_allproject-awayprojecthas_any

KQL Search