HUNT-01 Provisioning Failures by Job and Error (30d)
HUNT 01 AAD Prov Failures By Job Error 30d
Query
AADProvisioningLogs
| where TimeGenerated > ago(30d)
| where ResultType =~ "Failure"
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| summarize
Failures = count(),
AffectedTargets = dcount(TargetIdentity),
ErrorMessages = make_set(ResultDescription, 5),
Operations = make_set(OperationName, 10),
DistinctDays = dcount(startofday(TimeGenerated)),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by JobId, SPName, ResultSignature
| where Failures >= 10
| extend Sustained = DistinctDays >= 3
| order by Failures descExplanation
This query is designed to analyze provisioning failures in Azure Active Directory over the past 30 days. It focuses on identifying persistent issues, potential malicious activities, and schema-related errors. Here's a simple breakdown:
-
Data Source: It uses logs from Azure Active Directory, specifically the provisioning logs.
-
Time Frame: The analysis covers the last 30 days.
-
Filter: It looks for entries where the result was a "Failure".
-
Data Extraction: For each failure, it extracts the name of the service principal involved.
-
Aggregation: The query groups the failures by Job ID, Service Principal Name, and error signature. It calculates:
- Total number of failures.
- Number of unique affected targets.
- A set of error messages (up to 5).
- A set of operations involved (up to 10).
- Number of distinct days the failures occurred.
- The first and last occurrence of the failures.
-
Threshold: It only considers groups with 10 or more failures.
-
Sustained Issues: It flags issues that occurred on at least 3 different days.
-
Output: The results are ordered by the number of failures, showing the most frequent issues first.
This query helps in identifying recurring problems, potential security threats, and operational anomalies in the provisioning process.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques