List All Role Additions
AD Role Additions
Query
AuditLogs
| where OperationName == 'Add member to role'
// If you do want to show PIM activations remove this filter
| where Identity != 'MS-PIM'
| extend RoleLine = tostring(extract(@'Role.DisplayName(.*?)"}', 1, tostring(TargetResources)))
| extend Role = tostring(extract(@'newValue":"\\"(.*?)\\', 1, RoleLine)), userPrincipalName = parse_json(TargetResources).[0].userPrincipalName
| project TimeGenerated, Role, OperationName, userPrincipalName, IdentityAbout this query
List All Role Additions
Query Information
Description
This query list all role additions that have been performed in your tenant. See the Microsoft Link for the default roles that exsits in Azure Active Directory. They contain reader, operator, administrator and other roles. It is good practice to gain insight into the roles that have been assigned to accounts. Based on this query you can build a detection for specific roles with high priviliges such as Global Admin, Security Admin or Exchange Admin.
References
Sentinel
Explanation
This query is designed to list all instances where roles have been added to user accounts within an Azure Active Directory tenant. Here's a simple breakdown of what the query does:
-
Data Source: It pulls data from the
AuditLogs, which records various activities and changes within the Azure environment. -
Filter by Operation: It specifically looks for operations where a member is added to a role, indicated by the
OperationNamebeing 'Add member to role'. -
Exclude PIM Activations: It excludes role additions that are part of Privileged Identity Management (PIM) activations by filtering out entries where the
Identityis 'MS-PIM'. This is optional, and you can remove this filter if you want to include PIM activations. -
Extract Role Information: It extracts the display name of the role that was added using regular expressions to parse the
TargetResourcesfield. -
Extract User Information: It also extracts the
userPrincipalNameof the account to which the role was added. -
Select Relevant Data: Finally, it selects and displays the following information: the time the role was added (
TimeGenerated), the name of the role (Role), the operation name (OperationName), the user principal name (userPrincipalName), and the identity performing the operation (Identity).
This query helps in monitoring and gaining insights into role assignments, particularly focusing on identifying when high-privilege roles like Global Admin, Security Admin, or Exchange Admin are assigned.
Details

Bert-Jan Pals
Released: November 17, 2023
Tables
Keywords
Operators