Intune - Privileged role assignment (Intune Administrator / Endpoint Privilege Manager)
Privileged Intune Role Assignment
Query
let sensitiveRoles = dynamic([
"Intune Administrator","Intune Service Administrator",
"Endpoint Security Manager","Cloud Device Administrator",
"Windows 365 Administrator","Security Administrator","Global Administrator"
]);
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName has_any ("Add member to role","Add eligible member to role")
| mv-expand TargetResources
| extend RoleName = tostring(parse_json(tostring(TargetResources.modifiedProperties))[1].newValue)
| extend RoleName = trim('"', RoleName)
| where RoleName has_any (sensitiveRoles)
| extend TargetUser = tostring(TargetResources.userPrincipalName)
| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, RoleName, TargetUser, Initiator, Result
| extend AccountCustomEntity = TargetUserExplanation
This query is designed to detect when sensitive roles related to Intune and endpoint management are assigned to users in an organization. These roles include Intune Administrator, Endpoint Security Manager, and others that can be exploited for unauthorized access to device management systems. The query runs every hour and checks the audit logs for any new role assignments within the past hour. If it finds any, it identifies the role assigned, the user who received the role, and the person who initiated the assignment. The query is part of a security monitoring system and is used to alert on potential privilege escalation or persistence tactics, which are common techniques used by attackers to maintain access to compromised systems. The severity of this alert is considered high, indicating a significant security risk.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h