Query Details

Privileged Role Assignment Outside Of PIM

Query

AuditLogs
| where OperationName startswith "Add member to role outside of PIM"
| extend EntraIDRoleDisplayName = tostring(TargetResources[0].displayName)
| extend EntraIDRoleId = tostring(AdditionalDetails[0].value)
| extend EntraIDUserAdded = tostring(TargetResources[2].displayName)
| extend EntraIDObjectId = tostring(TargetResources[2].id)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project
    TimeGenerated,
    OperationName,
    EntraIDRoleDisplayName,
    EntraIDRoleId,
    EntraIDUserAdded,
    EntraIDObjectId,
    Actor

Explanation

This query is designed to detect when a user account is assigned to a high-privilege role in Azure Active Directory (AD) without using Privileged Identity Management (PIM). This is a security concern because it bypasses standard security controls like Just-In-Time access, approval workflows, and time-bound access, leading to permanent privileges for the account. This can indicate potential security risks such as:

  • Persistence: An attacker might be trying to maintain access by assigning a high-privilege role to an account, ensuring they retain access even if security policies change.
  • Policy Violation/Evasion: An administrator might be intentionally bypassing security policies and audit trails.

The query looks for audit logs where a member is added to a role outside of PIM, extracts relevant details such as the role name, role ID, user added, and the actor who performed the action, and projects these details for further analysis.

The severity of this activity is considered high, and it is associated with tactics like privilege escalation, defense evasion, and persistence, with specific techniques referenced by their MITRE ATT&CK IDs.

The query results in creating an incident if such an activity is detected, with configurations to group related events and suppress duplicate alerts for a specified duration.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureADDirectoryRolePrivilegedIdentityManagementUserAccountSecurityRiskAdministrator

Operators

AuditLogswherestartswithextendtostringparse_jsonproject

Severity

High

Tactics

PrivilegeEscalationDefenseEvasionPersistence

MITRE Techniques

Actions

GitHub