Query Details

List all Global Admins in your tenant

List Global Admins

Query

IdentityInfo
| where AssignedRoles contains "Global Admin"
| distinct AccountName, AccountDomain, AccountUPN, AccountSID
// If PIM is enabled for Global Admins the list shows only the Global Admins that have used PIM to gain the privileges.

About this query

List all Global Admins in your tenant

Query Information

Description

This query lists all accounts that have the Global Admin role assigned to their account. If you have enabled PIM, then only users that have pimmed to Global Admin in the search period will be shown.

References

Sentinel

Explanation

This query is designed to identify all user accounts within your organization that have been assigned the Global Admin role. It specifically looks for accounts with this role and lists their details, such as account name, domain, user principal name (UPN), and security identifier (SID). If your organization uses Privileged Identity Management (PIM) for managing Global Admin roles, the query will only show those users who have activated their Global Admin privileges through PIM during the specified search period.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityInfo

Keywords

IdentityInfo

Operators

IdentityInfowherecontainsdistinct

Actions

GitHub