Service Principal Enumeration Of App Role Assignments
Query
MicrosoftGraphActivityLogs
| where RequestMethod == "GET"
| where isempty( UserId )
| where RequestUri has_all ("/servicePrincipals/","/appRoleAssignments")Explanation
This query is designed to detect potentially suspicious activity involving non-human identities, such as Service Principals or Managed Identities, using the Microsoft Graph API to list application role assignments. Here's a simplified breakdown:
-
Purpose: The query identifies instances where a Service Principal or Managed Identity makes a
GETrequest to the Microsoft Graph API endpoint/appRoleAssignmentswithout aUserId. This indicates that the request is made by an application rather than a human user. -
Suspicion: Such behavior is flagged as potentially suspicious because it can be used for reconnaissance. An attacker who has compromised a Service Principal might use this technique to explore and map out the permissions and roles assigned to various principals, which could help them escalate privileges or move laterally within the system.
-
Severity: The activity is considered to have a medium level of severity.
-
Detection Method: The query filters logs from
MicrosoftGraphActivityLogsforGETrequests where theUserIdis empty and the request URI contains both/servicePrincipals/and/appRoleAssignments. -
Response: If such activity is detected, an alert is generated, and an incident is created. The system is configured to group related events into a single incident for easier management.
-
Additional Details: The query includes mappings for IP addresses and application IDs to help identify the source of the activity.
Overall, this query helps security teams monitor for unauthorized or suspicious use of application identities in their environment, which could indicate a security threat.
Details

Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques