Entra ID Privileged Role Membership Inventory Via Exposure Graph
Query
ExposureGraphEdges
| where EdgeLabel == "member of"
| where SourceNodeLabel == "user"
| where TargetNodeLabel == "role"
| extend RoleName = TargetNodeName
// Tier 0 – Control Plane (highest criticality)
| extend RoleTier = case(
RoleName in (
"Global Administrator",
"Privileged Role Administrator",
"Privileged Authentication Administrator"
), "Tier0_ControlPlane",
// Tier 1 – Identity & Security
RoleName in (
"Security Administrator",
"Conditional Access Administrator",
"Authentication Administrator",
"Hybrid Identity Administrator", // AD Connect / PHS / PTA
"Identity Governance Administrator",
"Directory Writers",
"Domain Name Administrator",
"Lifecycle Workflows Administrator",
"External Identity Provider Administrator"
), "Tier1_IdentitySecurity",
// Tier 1 – Application & Credential Control
RoleName in (
"Application Administrator",
"Cloud Application Administrator",
"Application Developer" // can create app registrations
), "Tier1_AppCredential",
// Tier 2 – Workload Admins
RoleName in (
"Exchange Administrator",
"SharePoint Administrator",
"Teams Administrator",
"Intune Administrator",
"User Administrator",
"Helpdesk Administrator",
"Cloud Device Administrator",
"Global Reader" // reads everything, incl. sensitive data
), "Tier2_WorkloadAdmin",
"Other"
)
| where RoleTier != "Other" // only monitored rolesAbout this query
Explanation
This query is designed to monitor and categorize user-to-role assignments in Microsoft Entra ID, focusing on identifying potentially high-risk or over-privileged accounts. It uses the ExposureGraph table to identify direct, active assignments of users to roles and categorizes these roles into different tiers based on their criticality:
-
Tier 0 – Control Plane: This includes roles with the highest level of access and control, such as Global Administrator and Privileged Role Administrator.
-
Tier 1 – Identity & Security: This tier includes roles related to security and identity management, like Security Administrator and Conditional Access Administrator.
-
Tier 1 – Application & Credential Control: Roles in this category involve application management and credential control, such as Application Administrator.
-
Tier 2 – Workload Admins: This tier includes roles that manage specific workloads, like Exchange Administrator and Teams Administrator.
The query filters out roles that are not part of these monitored categories, focusing only on those that could pose a significant risk if misconfigured or over-privileged. It does not cover temporary role assignments that are eligible through Privileged Identity Management (PIM) but not yet activated. For such cases, additional data sources like AuditLogs or PIM-specific APIs would be necessary.
Details

Benjamin Zulliger
Released: July 12, 2026
Tables
Keywords
Operators