KQL Search

Query Details

Sensitive Intune Role Membership

Query

id: 7b8c9d10-aaaa-4001-8001-000000000005
name: HUNT - Users holding sensitive Intune/Endpoint roles
description: |
  Enumerates current members of sensitive Intune / endpoint-management roles
  (Intune Administrator, Endpoint Security Manager, Cloud Device Administrator,
  Windows 365 Administrator, Global Administrator). Baseline for privilege review.
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
tactics:
  - PrivilegeEscalation
relevantTechniques:
  - T1078.004
query: |
  let sensitiveRoles = dynamic([
      "Intune Administrator","Intune Service Administrator",
      "Endpoint Security Manager","Cloud Device Administrator",
      "Windows 365 Administrator","Security Administrator","Global Administrator"]);
  AuditLogs
  | where TimeGenerated > ago(90d)
  | where OperationName has_any ("Add member to role","Add eligible member to role","Remove member from role")
  | mv-expand TargetResources = todynamic(tostring(TargetResources))
  | mv-expand Mod = todynamic(tostring(TargetResources.modifiedProperties))
  | extend PropName = tostring(Mod.displayName),
           NewVal  = tostring(Mod.newValue)
  | where PropName =~ "Role.DisplayName"
  | extend RoleName = replace_string(replace_string(NewVal, '"', ''), '\\', '')
  | where RoleName has_any (sensitiveRoles)
  | extend TargetUser = tostring(TargetResources.userPrincipalName),
           Initiator  = tostring(InitiatedBy.user.userPrincipalName)
  | summarize Events = count(), LastChange = max(TimeGenerated),
              Operations = make_set(OperationName, 10)
            by TargetUser, RoleName, Initiator
  | order by LastChange desc
version: 1.0.0

Explanation

This query is designed to identify and list users who currently hold sensitive roles related to Intune and endpoint management within an organization. It focuses on roles such as Intune Administrator, Endpoint Security Manager, and Global Administrator, among others. Here's a simplified breakdown of what the query does:

  1. Data Source: It uses data from Azure Active Directory's AuditLogs to track changes.

  2. Time Frame: It looks at logs from the past 90 days.

  3. Operations Tracked: The query specifically searches for operations where members are added or removed from roles.

  4. Sensitive Roles: It defines a list of sensitive roles that are of interest, such as Intune Administrator and Global Administrator.

  5. Data Processing:

    • It expands and processes the log data to extract details about role changes.
    • It filters the data to focus on changes involving the specified sensitive roles.

  6. Output:

    • It summarizes the data to show the number of events, the last change date, and the types of operations performed.
    • It organizes the results by the user who was affected, the role they were involved with, and the initiator of the change.

  7. Sorting: The results are sorted by the most recent change.

This query is useful for monitoring and reviewing privilege changes related to sensitive roles, helping ensure that only authorized users have access to critical administrative functions.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

AuditLogs

Keywords

UsersIntuneDevices

Operators

letdynamicAuditLogswherehas_anymv-expandtodynamictostringextend=~replace_stringsummarizecountmaxmake_setbyorder bydesc

Actions