A threat hunter should investigate when a single user removes admin roles from multiple Entra ID users within a short timeframe, as this could indicate an adversary attempting to disable administrative access to escalate privileges or disrupt operations. Proactively hunting for this behavior in Azure Sentinel helps identify potential insider threats or compromised accounts that may be used to suppress organizational control.
KQL Query
let removedAccountsThreshold = 5;
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
AuditLogs
| where TimeGenerated between (starttime .. endtime)
| where OperationName in~ ("Remove member from role", "Remove eligible member from role")
| where Identity !has "MS-PIM"
| extend roleName = trim('"' , tostring(TargetResources[0].modifiedProperties[1].oldValue))
| where roleName in~ ("Company Administrator", "Global Administrator") // Add more roles you found interesting here
| where TargetResources[0].type =~ "User"
| extend Actor = tostring(TargetResources[0].id), removedUserUpn = tostring(TargetResources[0].userPrincipalName)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), removedAccounts = dcount(removedUserUpn), removedUserUPN=make_set(removedUserUpn) by Actor
| where removedAccounts > removedAccountsThreshold
| extend timestamp = StartTime, AccountCustomEntity = Actor
id: 18793540-3b93-4a7f-8e30-871291a1c6cf
name: Multiple Entra ID Admins Removed
description: |
'Looks for multiple users that had their admin role removed by a single user within a certain period.
The default threshold is 5 removals, this can be edited in the query.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- Impact
relevantTechniques:
- T1531
query: |
let removedAccountsThreshold = 5;
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
AuditLogs
| where TimeGenerated between (starttime .. endtime)
| where OperationName in~ ("Remove member from role", "Remove eligible member from role")
| where Identity !has "MS-PIM"
| extend roleName = trim('"' , tostring(TargetResources[0].modifiedProperties[1].oldValue))
| where roleName in~ ("Company Administrator", "Global Administrator") // Add more roles you found interesting here
| where TargetResources[0].type =~ "User"
| extend Actor = tostring(TargetResources[0].id), removedUserUpn = tostring(TargetResources[0].userPrincipalName)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), removedAccounts = dcount(removedUserUpn), removedUserUPN=make_set(removedUserUpn) by Actor
| where removedAccounts > removedAccountsThreshold
| extend timestamp = StartTime, AccountCustomEntity = Actor
entityMappings:
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: Actor
version: 1.0.0| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job or Automation Tool Removes Admin Roles
Description: A scheduled job or automation tool (e.g., Azure Automation, Power Automate, or third-party identity management tools like Okta or Ping Identity) is configured to remove admin roles from multiple users during a routine maintenance window.
Filter/Exclusion: Check for the presence of known automation tools or scheduled tasks in the activity logs, or filter by user agent or IP address associated with the automation system.
Scenario: Bulk User Deactivation or Onboarding Process
Description: During a bulk user onboarding or deactivation process (e.g., using Microsoft 365 Admin Center, PowerShell, or Azure AD Connect), an admin might remove admin roles from multiple users as part of a standard user lifecycle management task.
Filter/Exclusion: Filter by the user’s role (e.g., “User” instead of “Admin”) or check for bulk operation timestamps and associated admin activity.
Scenario: Role-Based Access Control (RBAC) Reconciliation
Description: An admin performs a role reconciliation task using Azure AD Privileged Identity Management (PIM) or the Microsoft 365 Admin Center to remove admin roles from users who no longer require them.
Filter/Exclusion: Filter by the presence of PIM-related activity or check for specific admin actions associated with role cleanup or audit tasks.
Scenario: User Migration or Data Sync Tool Activity
Description: A user migration or data sync tool (e.g., Azure AD Connect, Microsoft Identity Manager, or third-party migration tools) may inadvertently or intentionally remove admin roles during a synchronization or migration process.
Filter/Exclusion: Filter by the source system or tool name, or check for timestamps that align with scheduled migration windows.
Scenario: Admin Mistakenly Removes Roles During Training or Demo
Description: A