Query Details

Intune - Privileged role assignment (Intune Administrator / Endpoint Privilege Manager)

Privileged Intune Role Assignment

Query

let sensitiveRoles = dynamic([
    "Intune Administrator","Intune Service Administrator",
    "Endpoint Security Manager","Cloud Device Administrator",
    "Windows 365 Administrator","Security Administrator","Global Administrator"
]);
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName has_any ("Add member to role","Add eligible member to role")
| mv-expand TargetResources
| extend RoleName = tostring(parse_json(tostring(TargetResources.modifiedProperties))[1].newValue)
| extend RoleName = trim('"', RoleName)
| where RoleName has_any (sensitiveRoles)
| extend TargetUser = tostring(TargetResources.userPrincipalName)
| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, RoleName, TargetUser, Initiator, Result
| extend AccountCustomEntity = TargetUser

Explanation

This query is designed to detect when sensitive roles related to Intune and endpoint management are assigned to users in an organization. These roles include Intune Administrator, Endpoint Security Manager, and others that can be exploited for unauthorized access to device management systems. The query runs every hour and checks the audit logs for any new role assignments within the past hour. If it finds any, it identifies the role assigned, the user who received the role, and the person who initiated the assignment. The query is part of a security monitoring system and is used to alert on potential privilege escalation or persistence tactics, which are common techniques used by attackers to maintain access to compromised systems. The severity of this alert is considered high, indicating a significant security risk.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

AuditLogs

Keywords

IntuneEndpointManagementDirectoryRolesAdministratorSecurityManagerCloudDeviceWindows365GlobalAuditLogsRoleNameTargetUserInitiatorAccount

Operators

letdynamichas_anymv-expandextendtostringparse_jsontrimprojectago

Severity

High

Tactics

PrivilegeEscalationPersistence

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub