Query Details

Service Principal Added To Global Administrator Role

Query

AuditLogs
| where OperationName =~ "Add member to role"
// added to global admin
| where TargetResources has "62e90394-69f5-4237-9190-012177145e10"
| mv-apply AddedRole = TargetResources to typeof(dynamic) on ( where AddedRole.type == "Role" )
| mv-apply AddedServicePrincipal = TargetResources to typeof(dynamic) on ( where AddedServicePrincipal.type == "ServicePrincipal" )
| extend EntraIDRoleDisplayName = "Global Administrator"
| extend EntraIDRoleId = tostring(AddedRole.id)
| extend EntraIDSPAdded = tostring(AddedServicePrincipal.displayName)
| extend EntraIDSPObjectId = tostring(AddedServicePrincipal.id)
| extend Actor = coalesce(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).id))
| extend IPAddress = coalesce(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))
| project
    TimeGenerated,
    OperationName,
    EntraIDRoleDisplayName,
    EntraIDRoleId,
    EntraIDSPAdded,
    EntraIDSPObjectId,
    Actor,
    IPAddress

Explanation

This query is designed to detect when a Service Principal is granted the Global Administrator role in Entra ID (formerly known as Azure AD). Here's a simplified breakdown:

  • Purpose: The rule identifies instances where a Service Principal (a non-human account) is assigned the highly privileged Global Administrator role. This is considered a high-severity event because it can increase security risks, such as unauthorized access or privilege escalation by attackers.

  • Frequency: The query runs every 15 minutes and looks back over the past 20 minutes for relevant events.

  • Detection Logic: It searches through audit logs for operations where a member is added to a role, specifically targeting the Global Administrator role. It extracts details about the role, the Service Principal added, the actor who initiated the change, and their IP address.

  • Alerting: If any such event is detected, an alert is generated. The alert is configured to create an incident, but it won't reopen closed incidents. Events are grouped into a single alert for simplicity.

  • Entity Mapping: The query maps relevant data to entities like Account (using the Service Principal's object ID) and IP (using the IP address of the actor).

  • Suppression: Alerts are not suppressed, but there is a 5-hour suppression duration to prevent repeated alerts for the same event.

Overall, this query helps security teams monitor and respond to potential security threats involving unauthorized privilege assignments to Service Principals.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

AuditLogs

Keywords

AuditLogsEntraIDRoleServicePrincipalActorIPAddressTimeGeneratedOperationName

Operators

=~hasmv-applytotypeofonwhereextendtostringcoalesceparse_jsonproject

Severity

High

Tactics

PersistencePrivilegeEscalation

MITRE Techniques

Frequency: 15m

Period: 20m

Actions

GitHub