KQL Search

Query Details

HomeAI ToolsDevice Query

Service Principal Enumeration Of App Role Assignments

Query

id: c1c31ed6-925b-4385-905d-c1161d6a955c
name: Service Principal Enumeration of App Role Assignments
version: 1.0.0
kind: NRT
description: |-
  This rule detects a non-human identity (Service Principal or Managed Identity) utilizing the Microsoft Graph API to list App Role assignments (`/appRoleAssignments`). The query filters for `GET` requests where the `UserId` is empty, isolating activity performed by applications rather than interactive users.

  This behavior is potentially suspicious as it is a common reconnaissance technique. An attacker who has compromised a Service Principal may use this API call to map out privileges and discover high-value permissions (e.g., `Directory.ReadWrite.All` or `RoleManagement.ReadWrite.Directory`) assigned to that principal or others, facilitating lateral movement or privilege escalation.
severity: Medium
tactics:
- Discovery
relevantTechniques:
- T1069.003
query: |-
  MicrosoftGraphActivityLogs
  | where RequestMethod == "GET"
  | where isempty( UserId )
  | where RequestUri has_all ("/servicePrincipals/","/appRoleAssignments")
alertDetailsOverride:
  alertDynamicProperties: []
customDetails:
  UniqueTokenId: UniqueTokenId
  SessionId: SessionId
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: AppId
suppressionEnabled: false
suppressionDuration: 5h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: AlertPerResult

Explanation

This query is designed to detect potentially suspicious activity involving non-human identities, such as Service Principals or Managed Identities, using the Microsoft Graph API to list application role assignments. Here's a simplified breakdown:

  • Purpose: The query identifies instances where a Service Principal or Managed Identity makes a GET request to the Microsoft Graph API endpoint /appRoleAssignments without a UserId. This indicates that the request is made by an application rather than a human user.

  • Suspicion: Such behavior is flagged as potentially suspicious because it can be used for reconnaissance. An attacker who has compromised a Service Principal might use this technique to explore and map out the permissions and roles assigned to various principals, which could help them escalate privileges or move laterally within the system.

  • Severity: The activity is considered to have a medium level of severity.

  • Detection Method: The query filters logs from MicrosoftGraphActivityLogs for GET requests where the UserId is empty and the request URI contains both /servicePrincipals/ and /appRoleAssignments.

  • Response: If such activity is detected, an alert is generated, and an incident is created. The system is configured to group related events into a single incident for easier management.

  • Additional Details: The query includes mappings for IP addresses and application IDs to help identify the source of the activity.

Overall, this query helps security teams monitor for unauthorized or suspicious use of application identities in their environment, which could indicate a security threat.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

MicrosoftGraphActivityLogs

Keywords

MicrosoftGraphAPIServicePrincipalManagedIdentityAppRoleAssignmentsUserDirectoryRoleManagementPrivilegesPermissionsLateralMovementPrivilegeEscalationDiscoveryIPCloudApplication

Operators

==isemptyhas_all

Actions