High-Privilege Identities Across Subscriptions
EEG High Privilege Identities Across Subscriptions
Query
ExposureGraphEdges
| where EdgeLabel == "has permissions to"
| extend Roles = parse_json(EdgeProperties).rawData.permissions.roles
| mv-expand Roles
| where Roles.name in ("Owner", "Contributor")
| join kind=inner (
ExposureGraphNodes
| project NodeId, Department = tostring(NodeProperties.department)
) on $left.SourceNodeId == $right.NodeIdAbout this query
High-Privilege Identities Across Subscriptions
Query Information
Description
This query finds identities with elevated roles like Owner or Contributor, helping you assess potential privilege escalation risks.
References
Author
- Microsoft
Defender XDR
Explanation
This query is designed to identify identities with high-level permissions, specifically those with "Owner" or "Contributor" roles, across different subscriptions. It helps in assessing the risk of privilege escalation by highlighting users or entities with elevated access rights. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by looking at a dataset called
ExposureGraphEdges, which contains information about permissions relationships between identities and resources. -
Filter for Permissions: The query filters these relationships to only include those where the permission type is "has permissions to".
-
Extract Roles: It extracts the roles associated with these permissions from a JSON field and expands them into individual entries.
-
Role Filtering: It further filters these entries to only include roles named "Owner" or "Contributor", which are considered high-privilege roles.
-
Join with Node Information: The query then joins this filtered data with another dataset,
ExposureGraphNodes, to get additional information about the identities, specifically their department, by matching on a common identifier (NodeId).
In summary, this query helps security teams identify and assess potential risks by listing identities with significant access rights, which could be targets for privilege escalation attacks.
Details

Alex Verboon
Released: June 29, 2025
Tables
Keywords
Operators