Query Details

Entra ID Privileged Role Membership Inventory Via Exposure Graph

Query

ExposureGraphEdges
| where EdgeLabel == "member of"
| where SourceNodeLabel == "user"
| where TargetNodeLabel == "role"
| extend RoleName = TargetNodeName
// Tier 0 – Control Plane (highest criticality) 
| extend RoleTier = case(
    RoleName in (
        "Global Administrator",
        "Privileged Role Administrator",
        "Privileged Authentication Administrator"
    ), "Tier0_ControlPlane",
// Tier 1 – Identity & Security 
    RoleName in (
        "Security Administrator",
        "Conditional Access Administrator",
        "Authentication Administrator",
        "Hybrid Identity Administrator",          // AD Connect / PHS / PTA
        "Identity Governance Administrator",
        "Directory Writers",
        "Domain Name Administrator",
        "Lifecycle Workflows Administrator",
        "External Identity Provider Administrator"
    ), "Tier1_IdentitySecurity",
// Tier 1 – Application & Credential Control 
    RoleName in (
        "Application Administrator",
        "Cloud Application Administrator",
        "Application Developer"                   // can create app registrations
    ), "Tier1_AppCredential",
// Tier 2 – Workload Admins 
    RoleName in (
        "Exchange Administrator",
        "SharePoint Administrator",
        "Teams Administrator",
        "Intune Administrator",
        "User Administrator",
        "Helpdesk Administrator",
        "Cloud Device Administrator",
        "Global Reader"                           // reads everything, incl. sensitive data
    ), "Tier2_WorkloadAdmin",
    "Other"
)
| where RoleTier != "Other"   // only monitored roles

About this query

Explanation

This query is designed to monitor and categorize user-to-role assignments in Microsoft Entra ID, focusing on identifying potentially high-risk or over-privileged accounts. It uses the ExposureGraph table to identify direct, active assignments of users to roles and categorizes these roles into different tiers based on their criticality:

  1. Tier 0 – Control Plane: This includes roles with the highest level of access and control, such as Global Administrator and Privileged Role Administrator.

  2. Tier 1 – Identity & Security: This tier includes roles related to security and identity management, like Security Administrator and Conditional Access Administrator.

  3. Tier 1 – Application & Credential Control: Roles in this category involve application management and credential control, such as Application Administrator.

  4. Tier 2 – Workload Admins: This tier includes roles that manage specific workloads, like Exchange Administrator and Teams Administrator.

The query filters out roles that are not part of these monitored categories, focusing only on those that could pose a significant risk if misconfigured or over-privileged. It does not cover temporary role assignments that are eligible through Privileged Identity Management (PIM) but not yet activated. For such cases, additional data sources like AuditLogs or PIM-specific APIs would be necessary.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: July 12, 2026

Tables

ExposureGraphEdges

Keywords

ExposureGraphEdgesUserRoleAdministratorSecurityApplicationCredentialWorkloadAdminIntuneGlobalReaderIdentityDirectoryDomainNameLifecycleExternalProviderHelpdeskCloudDevice

Operators

|whereextendcasein!=

Actions

GitHub