Query Details
Successful Role Assignments
Query
//Show the count of successful role assignments per user. AzureActivity | where TimeGenerated > ago(90d) and Authorization contains "Microsoft.Authorization/roleAssignments/write" and ActivityStatusValue == "Success" | parse ResourceId with * "/providers/" TargetResourceAuthProvider "/" * | summarize count(), makeset(Caller) by TargetResourceAuthProvider
Explanation
This query shows the number of successful role assignments per user. It filters the Azure activity logs for the past 90 days and looks for role assignments that were successfully written. It then extracts the target resource authentication provider from the resource ID and summarizes the count of role assignments and the unique callers (users) by the target resource authentication provider.
Details
Rod Trent
Released: June 2, 2022
Tables
AzureActivity
Keywords
AzureActivity,TimeGenerated,Authorization,Microsoft.Authorization/roleAssignments/write,ActivityStatusValue,ResourceId,TargetResourceAuthProvider,Caller
Operators
where>agoandcontains==parsewith*/providers//summarizecount()makeset()by