Query Details

KQL Detection: Global Administrator Elevation to User Access Administrator

Azure RBAC Elevation Via User Access Admin Toggle

Query

AuditLogs
| where Category == "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName == "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.displayName)
| extend ActorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorId = tostring(InitiatedBy.user.id)
| extend Operation = tostring(OperationName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| extend AppId = tostring(InitiatedBy.app.appId)
| project TimeGenerated, ActivityDisplayName, Category, Operation, Actor, ActorUPN, ActorId, IPAddress, AppId, Result, ResultReason, CorrelationId
| order by TimeGenerated desc

About this query

Explanation

This document explains a KQL query designed to detect when a Global Administrator in Microsoft Entra ID elevates their access to become a User Access Administrator at the Azure root level. This action allows them to manage all Azure subscriptions and management groups, which can be risky if their account is compromised. The query is intended for use in Azure Monitor Log Analytics or Microsoft Sentinel to monitor and investigate such events.

Key Points:

  1. Purpose:

    • The query identifies when a Global Administrator uses a specific toggle to gain broader access, potentially bypassing security principles.
    • This action should be monitored closely due to its high impact.
  2. Prerequisites:

    • Entra ID Audit Logs must be sent to a Log Analytics workspace.
    • The workspace must have an AuditLogs table.
    • Appropriate permissions are required to run the query.
  3. How the Query Works:

    • Filters logs to find elevation actions related to Azure RBAC.
    • Extracts details about the user and context of the action.
    • Displays relevant information such as the user’s name, IP address, and the time of the event.
    • Sorts results to show the most recent events first.
  4. Running the Query:

    • Can be executed in Log Analytics or Microsoft Sentinel for investigation or as part of a scheduled rule to generate alerts.
  5. Interpreting Results:

    • Each result row represents an elevation event.
    • Key details include the time, user information, and operation result.
    • Follow-up actions include verifying the user’s authorization and checking for any suspicious activity.
  6. Using in Analytics Rule:

    • The query can be converted into a scheduled rule in Sentinel to continuously monitor for these events and generate alerts.
  7. Limitations:

    • The query relies on the ingestion of Entra ID Audit Logs.
    • Future changes in log structure may require updates to the query.
    • Assumes only authorized Global Administrators can perform this action.

This query helps ensure that any unauthorized or unexpected access elevation is quickly identified and investigated to maintain security.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureRBACRoleManagementElevateAccessUserAccessAdministratorAzureResourcesEntraIDGlobalLogAnalyticsMicrosoftSentinelActorActorUPNActorIdOperationIPAddressAppIdResultResultReasonCorrelationId

Operators

AuditLogswhereextendtostringprojectorder by

Actions

GitHub