Service Principals being assigned privileged roles may indicate an adversary attempting to escalate privileges or maintain persistence within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential unauthorized access or lateral movement tactics.
KQL Query
AuditLogs
| where OperationName has_all ("member to role", "add")
| where Result =~ "Success"
| extend type_ = tostring(TargetResources[0].type)
| where type_ =~ "ServicePrincipal"
| where isnotempty(TargetResources)
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))
| extend ServicePrincipalName = tostring(TargetResources[0].displayName)
| extend ServicePrincipalId = tostring(TargetResources[0].id)
| mv-expand TargetResources[0].modifiedProperties
| extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
| where isnotempty(TargetResources_0_modifiedProperties)
| extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
| where displayName == "Role.DisplayName" and newValue contains "admin"
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| extend TargetRole = newValue
| project-reorder TimeGenerated, ServicePrincipalName, ServicePrincipalId, InitiatedBy, TargetRole, InitiatingIPAddress
id: 84cccc86-5c11-4b3a-aca6-7c8f738ed0f7
name: Service Principal Assigned Privileged Role
description: |
'Detects a privileged role being added to a Service Principal.
Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
query: |
AuditLogs
| where OperationName has_all ("member to role", "add")
| where Result =~ "Success"
| extend type_ = tostring(TargetResources[0].type)
| where type_ =~ "ServicePrincipal"
| where isnotempty(TargetResources)
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))
| extend ServicePrincipalName = tostring(TargetResources[0].displayName)
| extend ServicePrincipalId = tostring(TargetResources[0].id)
| mv-expand TargetResources[0].modifiedProperties
| extend TargetResources_0_modifiedProperties = columnifexists("TargetResources_0_modifiedProperties", '')
| where isnotempty(TargetResources_0_modifiedProperties)
| extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
| where displayName == "Role.DisplayName" and newValue contains "admin"
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| extend TargetRole = newValue
| project-reorder TimeGenerated, ServicePrincipalName, ServicePrincipalId, InitiatedBy, TargetRole, InitiatingIPAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: InitiatingAppName
- identifier: AadUserId
columnName: InitiatingAppServicePrincipalId
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingUserPrincipalName
- identifier: Name
columnName: InitiatingAccountName
- identifier: UPNSuffix
columnName: InitiatingAccountUPNSuffix
- entityType: Account
fieldMappings:
| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job Configuration
Description: A service principal is assigned a privileged role as part of configuring a scheduled job in Azure Automation or Azure DevOps.
Filter/Exclusion: Exclude service principals associated with Azure Automation or DevOps pipelines using the servicePrincipalNames field or resourceGroup filter.
Scenario: Azure AD Password Sync Configuration
Description: A service principal is assigned a privileged role during the setup of Azure AD Password Sync (e.g., using Azure AD Connect).
Filter/Exclusion: Exclude service principals with names like AzureADPasswordSync or AADConnect using the servicePrincipalName field.
Scenario: Azure Key Vault Access Policy Assignment
Description: A service principal is assigned a privileged role (e.g., Key Vault Administrator) as part of granting access to a Key Vault.
Filter/Exclusion: Exclude assignments where the resource type is Microsoft.KeyVault/vaults using the resourceType field.
Scenario: Azure Monitor Log Analytics Agent Setup
Description: A service principal is assigned a privileged role during the deployment of a Log Analytics agent or workspace.
Filter/Exclusion: Exclude service principals with names like loganalytics or monitor using the servicePrincipalName field.
Scenario: Azure Backup Service Configuration
Description: A service principal is assigned a privileged role when configuring Azure Backup services or Recovery Services vaults.
Filter/Exclusion: Exclude service principals associated with Azure Backup using the resourceGroup or resourceType filter (e.g., Microsoft.RecoveryServices/vaults).