Query Details
Service Principal Added To Global Administrator Role
Query
id: ad23a34c-ba65-4096-9729-fb2c6742db71
name: Service Principal Added to Global Administrator Role
version: 1.0.0
kind: Scheduled
description: |-
This rule detects when a Service Principal is granted the Global Administrator role in Entra ID (formerly Azure AD).
Assigning highly privileged roles to non-human accounts (Service Principals) increases the attack surface and is often an indicator of persistence mechanisms or privilege escalation by an attacker.
severity: High
queryFrequency: 15m
queryPeriod: 20m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1098.003
query: |-
AuditLogs
| where OperationName =~ "Add member to role"
// added to global admin
| where TargetResources has "62e90394-69f5-4237-9190-012177145e10"
| mv-apply AddedRole = TargetResources to typeof(dynamic) on ( where AddedRole.type == "Role" )
| mv-apply AddedServicePrincipal = TargetResources to typeof(dynamic) on ( where AddedServicePrincipal.type == "ServicePrincipal" )
| extend EntraIDRoleDisplayName = "Global Administrator"
| extend EntraIDRoleId = tostring(AddedRole.id)
| extend EntraIDSPAdded = tostring(AddedServicePrincipal.displayName)
| extend EntraIDSPObjectId = tostring(AddedServicePrincipal.id)
| extend Actor = coalesce(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).id))
| extend IPAddress = coalesce(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))
| project
TimeGenerated,
OperationName,
EntraIDRoleDisplayName,
EntraIDRoleId,
EntraIDSPAdded,
EntraIDSPObjectId,
Actor,
IPAddress
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: ObjectGuid
columnName: EntraIDSPObjectId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
suppressionDuration: 5h
Explanation
This query is designed to detect when a Service Principal is granted the Global Administrator role in Entra ID (formerly known as Azure AD). Here's a simplified breakdown:
-
Purpose: The rule identifies instances where a Service Principal (a non-human account) is assigned the highly privileged Global Administrator role. This is considered a high-severity event because it can increase security risks, such as unauthorized access or privilege escalation by attackers.
-
Frequency: The query runs every 15 minutes and looks back over the past 20 minutes for relevant events.
-
Detection Logic: It searches through audit logs for operations where a member is added to a role, specifically targeting the Global Administrator role. It extracts details about the role, the Service Principal added, the actor who initiated the change, and their IP address.
-
Alerting: If any such event is detected, an alert is generated. The alert is configured to create an incident, but it won't reopen closed incidents. Events are grouped into a single alert for simplicity.
-
Entity Mapping: The query maps relevant data to entities like Account (using the Service Principal's object ID) and IP (using the IP address of the actor).
-
Suppression: Alerts are not suppressed, but there is a 5-hour suppression duration to prevent repeated alerts for the same event.
Overall, this query helps security teams monitor and respond to potential security threats involving unauthorized privilege assignments to Service Principals.
Details
Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators