Query Details
Potential Entra Admin Synced Back On Premise
Query
IdentityInfo //Advanced Hunting table but can be ingested in sentinel | where TimeGenerated > ago(30d) //Will capture user if any change occured in last 30 days to user | where (isnotempty(AccountDomain)) | where (isnotempty(tostring(AssignedRoles))) | where tostring(AssignedRoles) contains "admin" | where IdentityEnvironment == @"Hybrid" | sort by TimeGenerated desc | summarize by AccountUpn, OnPremObjectId, tostring(AssignedRoles), AccountDomain
Explanation
This query is designed to search through the IdentityInfo table, which is used for advanced hunting and can be integrated into Microsoft Sentinel. Here's a breakdown of what the query does in simple terms:
-
Time Filter: It looks for records where changes have occurred in the last 30 days.
-
Domain and Role Filters: It filters out records where the
AccountDomainis not empty and where theAssignedRolesfield is not empty and contains the word "admin". This means it is specifically looking for users with administrative roles. -
Environment Filter: It further narrows down the results to those where the
IdentityEnvironmentis "Hybrid", indicating a mixed environment of on-premises and cloud resources. -
Sorting: The results are sorted by the
TimeGeneratedfield in descending order, meaning the most recent changes appear first. -
Summarization: Finally, it summarizes the data by grouping the results based on
AccountUpn(User Principal Name),OnPremObjectId(the on-premises object ID),AssignedRoles, andAccountDomain. This means it will provide a distinct list of users with their roles and domains, without duplicate entries.
Overall, the query is used to identify and list users with administrative roles in a hybrid environment who have had changes in their account information in the past 30 days.
Details
Jay Kerai
Released: June 30, 2026
Tables
Keywords
Operators