Privileged Unified Identity Info
Query
id: b7661446-5116-40ae-9f01-79074549ec18
Function:
Title: Parser to get privileged human identities from IdentityInfo table and privileged workloads from WorkloadIdentityInfo for unified list of all privileges
Version: '1.0.0'
LastUpdated: '2025-03-17'
Category: Microsoft Sentinel Parser
FunctionName: PrivilegedUnifiedIdentityInfo
FunctionAlias: PrivilegedUnifiedIdentityInfo
FunctionQuery: |
// Function to get privileged users from IdentityInfo and privileged workloads from WorkloadIdentityInfo
let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
| where Classification.EAMTierLevelName != "Unclassified"
| project RoleName, isPrivileged, Classification;
let SensitiveUsers = IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand AssignedRoles
| extend RoleName = tostring(AssignedRoles)
| join kind=inner ( SensitiveEntraDirectoryRoles ) on RoleName
| join kind=inner ( SensitiveEntraDirectoryRoles ) on RoleName
| extend AadDirectoryRoleTierLevels = parse_json(Classification.EAMTierLevelName)
| extend Classification = iif((AadDirectoryRoleTierLevels contains "ControlPlane"), "ControlPlane", "Unclassified")
| extend Classification = iif((Classification == "Unclassified" and (AadDirectoryRoleTierLevels contains "ManagementPlane")), "ManagementPlane", Classification)
| extend Classification = iif((Classification == "Unclassified" and (AadDirectoryRoleTierLevels contains "WorkloadPlane")), "WorkloadPlane", Classification)
| extend Classification = iif((Classification == "Unclassified" and (AadDirectoryRoleTierLevels contains "UserAccess")), "UserAccess", Classification)
| summarize RoleAssignments = make_set(RoleName) by AccountObjectId, AccountDisplayName, OnPremisesAccountObjectId, Classification;
let PrivilegedUsers = SensitiveUsers
| extend OnPremSynchronized = iff(isnotempty(OnPremisesAccountObjectId), "true", "false")
| project
ObjectId = tostring(AccountObjectId),
ObjectType = "User",
ObjectDisplayName = AccountDisplayName,
OnPremSynchronized,
tostring(Classification),
EntraIdRoles = RoleAssignments;
let PrivilegedWorkloads = PrivilegedWorkloadIdentityInfo
| where isnotempty(EntraIdRoles) or isnotempty(AppRolePermissions)
| project
ObjectId = tostring(ServicePrincipalObjectId),
ObjectType = WorkloadIdentityType,
ObjectDisplayName = WorkloadIdentityName,
OnPremSynchronized = "false",
Classification = tostring(EnterpriseAccessModelTiering),
EntraIdRoles = EntraIdRoles,
AppRoles = AppRolePermissions;
union PrivilegedUsers, PrivilegedWorkloadsExplanation
This query is designed to create a unified list of privileged identities by combining information about privileged human users and privileged workloads. Here's a simplified breakdown of what the query does:
-
Sensitive Role Identification: It retrieves a list of sensitive roles from an external JSON source, filtering out roles that are unclassified.
-
Sensitive Users Extraction:
- It pulls data from the
IdentityInfotable, focusing on the last 14 days. - It identifies users with assigned roles that match the sensitive roles.
- It classifies these roles into categories like "ControlPlane", "ManagementPlane", "WorkloadPlane", or "UserAccess" based on certain conditions.
- It summarizes the role assignments for each user.
- It pulls data from the
-
Privileged Users Formatting:
- It formats the data for privileged users, including details like whether their account is synchronized with on-premises directories, and lists their role assignments.
-
Privileged Workloads Extraction:
- It pulls data from the
WorkloadIdentityInfotable for workloads with specific role or permission assignments. - It formats this data similarly to the user data, but marks these workloads as not synchronized with on-premises directories.
- It pulls data from the
-
Combining Data:
- It combines the formatted data for both privileged users and workloads into a single unified list.
This unified list can be used for monitoring and managing privileged access within an organization, helping to ensure security and compliance.
Details

Thomas Naunheim
Released: March 17, 2025
Tables
IdentityInfoWorkloadIdentityInfo
Keywords
IdentityInfoWorkloadIdentityInfoRoleNameAccountObjectIdAccountDisplayNameOnPremisesAccountObjectIdServicePrincipalObjectIdWorkloadIdentityTypeWorkloadIdentityNameEnterpriseAccessModelTieringEntraIdRolesAppRolePermissionsClassification
Operators
letexternaldatawithformatwhereprojectsummarizearg_maxbymv-expandextendtostringjoinkindonparse_jsoniifcontainsmake_setiffisnotemptyunion