Service Principal Added To Global Administrator Role
Query
AuditLogs
| where OperationName =~ "Add member to role"
// added to global admin
| where TargetResources has "62e90394-69f5-4237-9190-012177145e10"
| mv-apply AddedRole = TargetResources to typeof(dynamic) on ( where AddedRole.type == "Role" )
| mv-apply AddedServicePrincipal = TargetResources to typeof(dynamic) on ( where AddedServicePrincipal.type == "ServicePrincipal" )
| extend EntraIDRoleDisplayName = "Global Administrator"
| extend EntraIDRoleId = tostring(AddedRole.id)
| extend EntraIDSPAdded = tostring(AddedServicePrincipal.displayName)
| extend EntraIDSPObjectId = tostring(AddedServicePrincipal.id)
| extend Actor = coalesce(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).id))
| extend IPAddress = coalesce(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))
| project
TimeGenerated,
OperationName,
EntraIDRoleDisplayName,
EntraIDRoleId,
EntraIDSPAdded,
EntraIDSPObjectId,
Actor,
IPAddressExplanation
This query is designed to detect when a Service Principal is granted the Global Administrator role in Entra ID (formerly known as Azure AD). Here's a simplified breakdown:
-
Purpose: The rule identifies instances where a Service Principal (a non-human account) is assigned the highly privileged Global Administrator role. This is considered a high-severity event because it can increase security risks, such as unauthorized access or privilege escalation by attackers.
-
Frequency: The query runs every 15 minutes and looks back over the past 20 minutes for relevant events.
-
Detection Logic: It searches through audit logs for operations where a member is added to a role, specifically targeting the Global Administrator role. It extracts details about the role, the Service Principal added, the actor who initiated the change, and their IP address.
-
Alerting: If any such event is detected, an alert is generated. The alert is configured to create an incident, but it won't reopen closed incidents. Events are grouped into a single alert for simplicity.
-
Entity Mapping: The query maps relevant data to entities like Account (using the Service Principal's object ID) and IP (using the IP address of the actor).
-
Suppression: Alerts are not suppressed, but there is a 5-hour suppression duration to prevent repeated alerts for the same event.
Overall, this query helps security teams monitor and respond to potential security threats involving unauthorized privilege assignments to Service Principals.
Details

Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 15m
Period: 20m