HUNT-12 Provisioning Operation Followed by Consent Grant (24h)
HUNT 12 AAD Prov Consent Grant After Provisioning
Query
let ProvisioningSPs =
AADProvisioningLogs
| where TimeGenerated > ago(7d)
| extend SPId = tostring(parse_json(ServicePrincipal).Id),
SPName = tostring(parse_json(ServicePrincipal).Name)
| summarize ProvisioningEvents = count(),
FirstProvisioningSeen = min(TimeGenerated)
by SPId, SPName;
let ConsentEvents =
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any (
"Consent to application",
"Add delegated permission grant",
"Add app role assignment grant to user",
"Add app role assignment to service principal"
)
| mv-expand TargetResources
| extend TargetSPId = tostring(TargetResources.id),
TargetSPName = tostring(TargetResources.displayName),
Actor = coalesce(tostring(InitiatedBy.user.userPrincipalName),
tostring(InitiatedBy.app.displayName))
| project ConsentTime = TimeGenerated, TargetSPId, TargetSPName, Actor, OperationName;
ProvisioningSPs
| join kind=inner (ConsentEvents) on $left.SPId == $right.TargetSPId
| where ConsentTime between (FirstProvisioningSeen .. FirstProvisioningSeen + 1d)
| project SPName, SPId, FirstProvisioningSeen, ConsentTime, Actor, OperationName, ProvisioningEvents
| order by ConsentTime descExplanation
This query is designed to detect potentially malicious activities involving service principals (SPs) in Azure Active Directory. Here's a simplified breakdown:
-
Purpose: The query identifies service principals that have been involved in provisioning activities followed by consent grants within a 24-hour period. This pattern can indicate a security threat where an attacker first creates or modifies accounts with limited permissions and then escalates their privileges by obtaining broader consent.
-
Severity: The alert generated by this query is considered high severity due to the potential for privilege escalation and persistence by an attacker.
-
Data Sources: The query uses data from Azure Active Directory, specifically:
- AADProvisioningLogs: Logs related to provisioning activities.
- AuditLogs: Logs that include consent-related activities.
-
Steps in the Query:
- ProvisioningSPs: This part of the query collects service principals that have been involved in provisioning activities over the past 7 days, summarizing the number of events and the first time such an event was seen.
- ConsentEvents: This part gathers consent-related activities from the audit logs over the same 7-day period, focusing on operations that grant permissions or roles to applications or users.
- Correlation: The query then joins these two datasets to find cases where a service principal involved in provisioning activities also received consent grants within 24 hours of the first provisioning event.
- Output: The result includes details like the service principal's name and ID, the times of provisioning and consent activities, the actor involved, and the type of consent operation, sorted by the most recent consent time.
-
Security Implication: This query helps in identifying a potential attack pattern where an attacker might be trying to establish a persistent and escalated presence within the Azure environment by first provisioning accounts and then expanding their access through consent grants.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics