Query Details
Identity Guest Addedto AAD Role
Query
//Detects when an Azure AD guest is added to an Azure AD role //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where OperationName == "Add member to role" | extend Target = tostring(TargetResources[0].userPrincipalName) | extend RoleAdded = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))) | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | where Target contains "#ext#" | project TimeGenerated, OperationName, Actor, Target, RoleAdded
Explanation
This query detects when a guest user is added to a role in Azure Active Directory. It uses the Azure Active Directory - Audit Logs data connector. The query filters for the "Add member to role" operation and extracts relevant information such as the target user, the role added, and the actor who initiated the action. It also filters for targets that contain "#ext#" and projects the time generated, operation name, actor, target, and role added.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AzureAD,AuditLogs,Addmembertorole,TargetResources,userPrincipalName,modifiedProperties,newValue,InitiatedBy,TimeGenerated
Operators
| where=="Add member to role"
| extend=tostring[].userPrincipalName
| extend=tostringparse_jsontostringparse_jsontostring.newValue
| extend=tostringparse_jsontostring.userPrincipalName
| wherecontains"#ext#"
| projectTimeGeneratedOperationNameActorTargetRoleAdded