Monthly Report Entra Eligible Role Activation
Query
// Monthly Report Entra Eligible Role Activation
// https://www.linkedin.com/posts/activity-7195656523899965442-aZTj/
// Entra offers an “Alert detail” view that monitors whether eligible administrators are activating their privileged roles. However, it lacks a built-in feature to measure the frequency of these activations. To overcome this, you can schedule the following KQL query to run every 30 days. This will generate a report detailing the activation history of eligible administrators’ roles over a specified timeframe. It’s important to adhere to the principle of least privilege and revoke any roles that are excessively provisioned and not necessary. 😎
IdentityInfo
| where Timestamp > ago(30d)
| where AssignedRoles != ""
| mv-expand AssignedRoles
| extend EntraAdminRole = tostring(AssignedRoles)
| distinct EntraAdminRole, AccountUpn
| where AccountUpn != ""
| sort by EntraAdminRole asc
// MITRE ATT&CK Mapping
// Based on the analysis, the KQL query can be associated with the following MITRE ATT&CK techniques:
// T1078 - Valid Accounts:
// The query identifies accounts with assigned roles, which can help detect unauthorized or suspicious account usage.
// T1087 - Account Discovery:
// By listing distinct roles and associated accounts, the query aids in discovering accounts and their privileges.
// T1098 - Account Manipulation:
// Monitoring changes in assigned roles can help detect potential account manipulation activities.Explanation
This KQL query is designed to generate a monthly report on the activation of privileged roles by eligible administrators in Entra. Here's a simple breakdown of what the query does:
- Time Frame: It looks at data from the past 30 days.
- Role Activation: It filters for entries where roles have been assigned to users.
- Role Expansion: It expands the list of assigned roles for each user.
- Role and User Identification: It extracts and lists unique combinations of roles and user accounts (identified by their email or username).
- Sorting: The results are sorted alphabetically by role.
The purpose of this query is to monitor how often eligible administrators activate their privileged roles, which is not directly available in Entra's built-in features. By running this query every 30 days, organizations can track role activations and ensure that roles are not excessively provisioned, adhering to the principle of least privilege.
Additionally, the query is mapped to certain MITRE ATT&CK techniques, which are frameworks for understanding potential security threats:
- T1078 - Valid Accounts: Helps identify valid accounts with roles, which can be useful for detecting unauthorized access.
- T1087 - Account Discovery: Assists in discovering accounts and their associated privileges.
- T1098 - Account Manipulation: Monitors changes in role assignments to detect possible manipulation of accounts.
