Query Details
Identity Role Addedto Service Principal
Query
// Detects when a service principal has been added to an Azure AD role //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where OperationName == "Add member to role" | where TargetResources[0].type == "ServicePrincipal" | extend ['Service Principal Object Id'] = tostring(TargetResources[0].id) | extend ['Application Display Name'] = tostring(TargetResources[0].displayName) | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ['Azure AD Role Added'] = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))) | project TimeGenerated, Actor, ['Azure AD Role Added'], ['Service Principal Object Id'], ['Application Display Name']
Explanation
This query detects when a service principal has been added to an Azure AD role. It uses the Azure Active Directory - Audit Logs data connector. The query filters for the "Add member to role" operation and checks if the target resource type is a service principal. It extracts relevant information such as the service principal's object ID, application display name, the user who initiated the action, and the Azure AD role that was added. The query then projects the time generated, actor, Azure AD role added, service principal object ID, and application display name.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogs,OperationName,Addmembertorole,TargetResources,ServicePrincipal,ServicePrincipalObjectId,ApplicationDisplayName,Actor,InitiatedBy.user,userPrincipalName,AzureADRoleAdded,TimeGenerated
Operators
| where==|extendtostring[].type.id.displayNameparse_json.userPrincipalName.modifiedProperties.newValueproject