Grant High Privilege Azure AD Role To Identity
Query
let HighPrivRoles = dynamic(["Company Administrator","Privileged Authentication Administrator","Privileged Role Administrator"]);
AuditLogs
| where OperationName == "Add member to role"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName == "Role.DisplayName"
| extend TargetObjectId = TargetResources.id
| extend TargetObjectDisplayName = TargetResources.displayName
| extend InitiatedByUserPrincipalName = InitiatedBy.user.userPrincipalName
| extend AddedToRole = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| where AddedToRole in~ (HighPrivRoles)
| extend IPCustomEntity = todynamic(InitiatedBy).user.ipAddress
| extend ServicePrincipalAppId = todynamic(TargetResources).modifiedProperties[5].displayName
| project timestamp = TimeGenerated, IPCustomEntity, AccountCustomEntity=InitiatedByUserPrincipalName,TargetObjectId,TargetObjectDisplayName, AddedToRoleExplanation
This query is designed to identify when a user or other identity is added to a high privilege Azure AD role. It looks for the operation of adding a member to a role in the audit logs and filters for specific high privilege roles. It extracts relevant information such as the timestamp, IP address, user account, target object ID, target object display name, and the role that was added. The query is scheduled to run once a day and has a medium severity level. It is relevant to the persistence tactic and the T1098 technique.
