HUNT-08 Provisioning of Role-Assignable Groups (30d)
HUNT 08 AAD Prov Role Assignable Group Changes 30d
Query
AADProvisioningLogs
| where TimeGenerated > ago(30d)
| where ResultType =~ "Success"
| where tostring(TargetIdentity) has "IsAssignableToRole"
or tostring(ModifiedProperties) has "isAssignableToRole"
or tostring(ModifiedProperties) has "directoryRoles"
| extend Target = tostring(parse_json(TargetIdentity).displayName),
SPName = tostring(parse_json(ServicePrincipal).Name),
InitiatorUpn = tostring(parse_json(InitiatedBy).userPrincipalName),
InitiatorApp = tostring(parse_json(InitiatedBy).displayName)
| project TimeGenerated, JobId, CycleId, ChangeId, SPName,
Initiator = coalesce(InitiatorUpn, InitiatorApp),
TargetGroup = Target,
OperationName, ProvisioningAction, ModifiedProperties
| order by TimeGenerated descExplanation
This query is designed to monitor and identify unusual provisioning activities related to role-assignable groups in Azure Active Directory. Here's a simplified breakdown:
-
Purpose: The query focuses on detecting provisioning operations that involve role-assignable groups, which are groups that can be assigned directory roles. Changes to these groups can effectively grant directory roles, making such operations potentially suspicious and worthy of manual review.
-
Severity: The query is marked with a high severity level, indicating the importance of these operations and the potential risk they pose.
-
Data Source: It uses data from Azure Active Directory, specifically the AADProvisioningLogs.
-
Time Frame: The query looks at logs from the past 30 days.
-
Conditions: It filters for successful provisioning operations that involve role-assignable groups by checking if certain properties (
IsAssignableToRole,directoryRoles) are present in the logs. -
Output: The query extracts and displays relevant details such as the time of the operation, job and cycle identifiers, the name of the service principal involved, the initiator's user principal name or application name, the target group affected, and the type of operation performed.
-
Order: The results are sorted by the time the operation was generated, in descending order, to show the most recent activities first.
Overall, this query helps in identifying and reviewing potentially risky changes to role-assignable groups, which could indicate privilege escalation or persistence tactics.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques