KQL Search

Query Details

Privileged Role Assignment Outside Of PIM

Query

id: f47104dd-c4b1-47b9-8406-7eda3016b787
name: Privileged Role Assignment Outside of PIM
version: 1.0.0
kind: NRT
description: |-
  Detected that a user account was assigned to an Azure AD directory role without using Privileged Identity Management (PIM).
  This activity indicated that standard security governance controls—such as Just-In-Time (JIT) access, approval workflows, and time-bound duration—were bypassed.
  This action created "standing access" (permanent privileges) for the target account, which is a significant security risk indicating:
  * Persistence: An attacker solidifying their foothold by hard-coding an account into a high-privileged role to survive future token resets or PIM policy changes.
  * Policy Violation/Evasion: An administrator intentionally circumventing audit trails and justification requirements associated with PIM.
severity: High
tactics:
- PrivilegeEscalation
- DefenseEvasion
- Persistence
relevantTechniques:
- T1098.003
- T1562
- T1078.004
query: |-
  AuditLogs
  | where OperationName startswith "Add member to role outside of PIM"
  | extend EntraIDRoleDisplayName = tostring(TargetResources[0].displayName)
  | extend EntraIDRoleId = tostring(AdditionalDetails[0].value)
  | extend EntraIDUserAdded = tostring(TargetResources[2].displayName)
  | extend EntraIDObjectId = tostring(TargetResources[2].id)
  | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | project
      TimeGenerated,
      OperationName,
      EntraIDRoleDisplayName,
      EntraIDRoleId,
      EntraIDUserAdded,
      EntraIDObjectId,
      Actor
customDetails:
  EntraRole: EntraIDRoleDisplayName
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: EntraIDUserAdded
  - identifier: AadUserId
    columnName: EntraIDObjectId
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Actor
suppressionEnabled: false
suppressionDuration: 5h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: AlertPerResult

Explanation

This query is designed to detect when a user account is assigned to a high-privilege role in Azure Active Directory (AD) without using Privileged Identity Management (PIM). This is a security concern because it bypasses standard security controls like Just-In-Time access, approval workflows, and time-bound access, leading to permanent privileges for the account. This can indicate potential security risks such as:

  • Persistence: An attacker might be trying to maintain access by assigning a high-privilege role to an account, ensuring they retain access even if security policies change.
  • Policy Violation/Evasion: An administrator might be intentionally bypassing security policies and audit trails.

The query looks for audit logs where a member is added to a role outside of PIM, extracts relevant details such as the role name, role ID, user added, and the actor who performed the action, and projects these details for further analysis.

The severity of this activity is considered high, and it is associated with tactics like privilege escalation, defense evasion, and persistence, with specific techniques referenced by their MITRE ATT&CK IDs.

The query results in creating an incident if such an activity is detected, with configurations to group related events and suppress duplicate alerts for a specified duration.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureADDirectoryRolePrivilegedIdentityManagementUserAccountSecurityRiskAdministrator

Operators

AuditLogswherestartswithextendtostringparse_jsonproject

Actions