A malicious actor is attempting to remove administrative privileges from multiple users to limit their own access or cover up their activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential insider threats or coordinated account compromise attempts.
KQL Query
let removedAccountsThreshold = 1;
let lookback = 12h;
CloudAppEvents
| where Timestamp > ago(lookback)
| where ApplicationId == 11161 // filter relevant events category
| where ActionType in~ ("Remove member from role.", "Remove eligible member from role.")
| project RawEventData
| where RawEventData.Actor !has "MS-PIM"
| mv-expand modifiedPropery = RawEventData.ModifiedProperties
| where isnotempty(modifiedPropery)
| extend propertyName = modifiedPropery.Name
| where propertyName =~ "Role.DisplayName"
| extend roleName = modifiedPropery.OldValue
| where roleName in ("Company Administrator", "Global Administrator") // Add more roles you found interesting here
| where RawEventData.Actor has "User" // Validate the actor of the oepration is a user and not service principal
| extend Actor = tostring(RawEventData.Actor[0].ID), removedUserUpn = tostring(RawEventData.Target[3].ID)
| summarize removedAccounts = dcount(removedUserUpn), make_set(removedUserUpn) by Actor
| where removedAccounts > removedAccountsThresholdid: 7ffb31ee-f164-4613-a9a7-4d04d0dba5d7
name: Multiple Entra ID Admin Removals
description: |
Looks for multiple users that had their admin role removed by a single user within a certain period.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Persistence
query: |
let removedAccountsThreshold = 1;
let lookback = 12h;
CloudAppEvents
| where Timestamp > ago(lookback)
| where ApplicationId == 11161 // filter relevant events category
| where ActionType in~ ("Remove member from role.", "Remove eligible member from role.")
| project RawEventData
| where RawEventData.Actor !has "MS-PIM"
| mv-expand modifiedPropery = RawEventData.ModifiedProperties
| where isnotempty(modifiedPropery)
| extend propertyName = modifiedPropery.Name
| where propertyName =~ "Role.DisplayName"
| extend roleName = modifiedPropery.OldValue
| where roleName in ("Company Administrator", "Global Administrator") // Add more roles you found interesting here
| where RawEventData.Actor has "User" // Validate the actor of the oepration is a user and not service principal
| extend Actor = tostring(RawEventData.Actor[0].ID), removedUserUpn = tostring(RawEventData.Target[3].ID)
| summarize removedAccounts = dcount(removedUserUpn), make_set(removedUserUpn) by Actor
| where removedAccounts > removedAccountsThreshold| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A system administrator performs a bulk user role adjustment using Azure AD PowerShell or Azure AD Connect to remove admin roles from multiple users during a routine access review.
Filter/Exclusion: Exclude activity from known admin accounts (e.g., [email protected]) or filter by tool source (e.g., AzureAD or PowerShell).
Scenario: A scheduled job (e.g., Power Automate or Azure Logic Apps) runs daily to remove admin roles from users who no longer require them based on a predefined list.
Filter/Exclusion: Exclude activity originating from scheduled tasks or Power Automate workflows by checking the initiator or source system field.
Scenario: A third-party service (e.g., Microsoft 365 Compliance Center or Microsoft Purview) automatically removes admin roles from users who have been flagged for non-compliance or policy violations.
Filter/Exclusion: Exclude actions initiated by Microsoft Compliance or Microsoft Purview services using source system or initiator fields.
Scenario: A user migration tool (e.g., Azure AD Connect or Microsoft 365 Migration Tool) removes admin roles during a user migration or account synchronization process.
Filter/Exclusion: Exclude activity related to migration tools by checking the tool name or source system in the event log.
Scenario: A security team member manually removes admin roles from multiple users during a security incident response or access revocation process.
Filter/Exclusion: Exclude actions taken by security team members or incident response teams by checking the user role or department in the event log.