Adversaries may be adding malicious roles in Entra ID to gain unauthorized access to cloud resources. SOC teams should proactively hunt for these role additions in Azure Sentinel to identify potential privilege escalation attempts and limit lateral movement within the environment.
KQL Query
let LookBack = 7d; CloudAppEvents | where ActionType in ("Add member to role.") and Timestamp > ago(LookBack) | extend FirstElement = ActivityObjects[0], SecondElement = ActivityObjects[1], ThirdElement = ActivityObjects[2] | extend Type = FirstElement.ServiceObjectType | extend RoleName = FirstElement.Name | extend UserAddedName = SecondElement.Name | extend UserAddedObjectId = SecondElement.Id | project Timestamp,Type,ActionType,RoleName,UserAddedName,UserAddedObjectId,PerformedByObjectId = AccountId,PerformedByDisplayName
id: d7f6e5c4-b3a2-4e9f-8d7c-6a5b4c3d2e1f
name: Entra ID role adds in the last 7 days
description: |
This query looks for Entra ID role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Privilege Escalation
relevantTechniques:
- T1548
query: >
let LookBack = 7d;
CloudAppEvents
| where ActionType in ("Add member to role.") and Timestamp > ago(LookBack)
| extend FirstElement = ActivityObjects[0], SecondElement = ActivityObjects[1], ThirdElement = ActivityObjects[2]
| extend Type = FirstElement.ServiceObjectType
| extend RoleName = FirstElement.Name
| extend UserAddedName = SecondElement.Name
| extend UserAddedObjectId = SecondElement.Id
| project Timestamp,Type,ActionType,RoleName,UserAddedName,UserAddedObjectId,PerformedByObjectId = AccountId,PerformedByDisplayName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: DisplayName
columnName: UserAddedName
- identifier: ObjectGuid
columnName: UserAddedObjectId
- identifier: ObjectGuid
columnName: PerformedByObjectId
- identifier: DisplayName
columnName: PerformedByDisplayName
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A system administrator adds a new user to an Entra ID role as part of a regular user onboarding process.
Filter/Exclusion: Exclude events where the userPrincipalName matches known admin accounts or users in the “User Admins” group.
Scenario: A scheduled job runs to assign roles to a batch of users during a monthly compliance review.
Filter/Exclusion: Exclude events where the operationName is “Bulk Role Assignment” or where the requestingUser is a service account used for automation.
Scenario: An IT support team member adds a temporary user to a role for access to a specific application during a support incident.
Filter/Exclusion: Exclude events where the userPrincipalName contains a temporary user prefix (e.g., temp_user_) or where the roleName is a support-specific role.
Scenario: A third-party service provider’s account is added to an Entra ID role as part of a service agreement.
Filter/Exclusion: Exclude events where the userPrincipalName is associated with a known external service account or where the roleName is a service-specific role.
Scenario: A role is automatically assigned to users via a Microsoft 365 group membership change.
Filter/Exclusion: Exclude events where the operationName is “Group Membership Change” or where the roleName is tied to a group-based access control policy.