Query Details

Service Principal Enumeration Of App Role Assignments

Query

MicrosoftGraphActivityLogs
| where RequestMethod == "GET"
| where isempty( UserId )
| where RequestUri has_all ("/servicePrincipals/","/appRoleAssignments")

Explanation

This query is designed to detect potentially suspicious activity involving non-human identities, such as Service Principals or Managed Identities, using the Microsoft Graph API to list application role assignments. Here's a simplified breakdown:

  • Purpose: The query identifies instances where a Service Principal or Managed Identity makes a GET request to the Microsoft Graph API endpoint /appRoleAssignments without a UserId. This indicates that the request is made by an application rather than a human user.

  • Suspicion: Such behavior is flagged as potentially suspicious because it can be used for reconnaissance. An attacker who has compromised a Service Principal might use this technique to explore and map out the permissions and roles assigned to various principals, which could help them escalate privileges or move laterally within the system.

  • Severity: The activity is considered to have a medium level of severity.

  • Detection Method: The query filters logs from MicrosoftGraphActivityLogs for GET requests where the UserId is empty and the request URI contains both /servicePrincipals/ and /appRoleAssignments.

  • Response: If such activity is detected, an alert is generated, and an incident is created. The system is configured to group related events into a single incident for easier management.

  • Additional Details: The query includes mappings for IP addresses and application IDs to help identify the source of the activity.

Overall, this query helps security teams monitor for unauthorized or suspicious use of application identities in their environment, which could indicate a security threat.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

MicrosoftGraphActivityLogs

Keywords

MicrosoftGraphAPIServicePrincipalManagedIdentityAppRoleAssignmentsUserDirectoryManagementPrivilegesPermissionsLateralMovementPrivilegeEscalationDiscoveryIPCloudApplication

Operators

==isemptyhas_all

Severity

Medium

Tactics

Discovery

MITRE Techniques

Actions

GitHub