Accounts added to privileged PIM groups may indicate lateral movement or elevation of privilege by an adversary seeking to gain unauthorized access. SOC teams should proactively hunt for this behavior to identify potential compromise of privileged accounts and mitigate risk in their Azure Sentinel environment.
KQL Query
AuditLogs
| where ActivityDisplayName =~ "Add eligible member to role in PIM requested (timebound)"
| where AADOperationType =~ "CreateRequestEligibleRole"
| where TargetResources has_any ("-PRIV", "Administrator", "Security")
| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))
| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))
| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))
| extend Initiatedby = Identity
| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResultReason, ResourceId, Id
| sort by TimeGenerated desc
| extend timestamp = TimeGenerated, AccountCustomEntity = TargetAccount, ResourceCustomEntity = ResourceId
id: 67ca982d-9d61-48cb-a409-acf029ed7311
name: Account Added to Privileged PIM Group
description: |
'Identifies accounts that have been added to a PIM managed privileged group'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1098
- T1548
query: |
AuditLogs
| where ActivityDisplayName =~ "Add eligible member to role in PIM requested (timebound)"
| where AADOperationType =~ "CreateRequestEligibleRole"
| where TargetResources has_any ("-PRIV", "Administrator", "Security")
| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))
| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))
| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))
| extend Initiatedby = Identity
| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResultReason, ResourceId, Id
| sort by TimeGenerated desc
| extend timestamp = TimeGenerated, AccountCustomEntity = TargetAccount, ResourceCustomEntity = ResourceId
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetAccount
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: ResourceId
| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job Configuration
Description: A system administrator adds a service account to a privileged PIM group as part of configuring a scheduled job (e.g., using Azure Automation or AWS Step Functions).
Filter/Exclusion: Exclude accounts associated with known automation tools (e.g., azureautomation, aws-step-functions, or jenkins) or use a filter on the source field to exclude scheduled job-related activity.
Scenario: Privileged Access Review
Description: An admin adds a user to a privileged PIM group temporarily during a privilege review process (e.g., using Microsoft Entra ID Privileged Identity Management).
Filter/Exclusion: Exclude users with the privilegedUser or admin role, or filter by the operation field to exclude “review” or “assessment” activities.
Scenario: Role-Based Access Assignment
Description: An admin assigns a role to a user via a third-party identity provider (e.g., Okta or Ping Identity) that automatically syncs to the PIM system.
Filter/Exclusion: Exclude accounts that are synced from external identity providers (e.g., okta, pingidentity, or azure-ad) or filter by the source or provider field.
Scenario: Test Account Creation
Description: A developer creates a test account and adds it to a PIM group to simulate privileged access for testing purposes (e.g., using Azure DevOps or GitHub Actions).
Filter/Exclusion: Exclude accounts with names containing “test”, “dev”, or “demo”, or use a filter on the user_principal_name or display_name field.
Scenario: Group Membership Sync
Description: A group membership sync tool (e.g., Azure AD Connect or Microsoft Entra ID Sync) adds a user to a