Display user role in AD

Question

hello,&nbsp;I'm creating a query to display AD accounts activity. Such as account creation.I would like to see who has reacted an account (With caller command) I would like to see Users role as well (such as global admin, security admin, etc).&nbsp;How Can I achieve that?&nbsp;Regards,

clivewatson · Answer

Arnoldas&nbsp;
&nbsp;
Some AzureAD samples to get you started...
&nbsp;
1. Look at Audit logs
AuditLogs
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) 
| extend userPrincipalName2_ = tostring(TargetResources[0].userPrincipalName) 
| extend userPrincipalName = iif(isempty(userPrincipalName_), userPrincipalName2_, userPrincipalName_)
| where OperationName !contains "service principal"
| summarize count(), make_set(InitiatedBy)  by ActivityDisplayName, userPrincipalName
2.&nbsp; SigninLogs&nbsp;
SigninLogs 
| extend ErrorCode = tostring(Status.errorCode) 
| extend FailureReason = Status.failureReason 
| where ErrorCode in ("50058","50140", "51006", "50059", "65001", "52004", "50055", "50144","50072", "50074", "16000","16001", "16003", "50127", "50125", "50129","50143", "81010", "81014", "81012") 
| summarize errCount = count() by ErrorCode, tostring(FailureReason), UserDisplayName, UserPrincipalName
&nbsp;

clivewatson · Answer

Arnoldas&nbsp;
&nbsp;
You can create a merges column (called here AggregatedValue), I used strcat to create a comma separated list of the 4 items&nbsp;
AuditLogs
| where OperationName == "Add user"
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend userPrincipalName2_ = tostring(TargetResources[0].userPrincipalName)
| extend AccountCustomEntity = userPrincipalName_
| extend AccountCustomEntity2 = userPrincipalName2_
| extend AggregatedValue = strcat (userPrincipalName_,", ", userPrincipalName2_,", ", AccountCustomEntity,", ", AccountCustomEntity2)
| summarize count() by AggregatedValue 
d&nbsp;

arnoldas · Answer

CliveWatson&nbsp;&nbsp;Thanks for the information provided!Will let you know what was the outcome.Thanks one more time.Arnold

arnoldas · Answer

@Clive Watson&nbsp;Hello,&nbsp;I have managed to gather some code but sadly it's not providing info needed in the alert itself.Code itself is straight forward:AuditLogs | where OperationName == "Add user"| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend userPrincipalName2_ = tostring(TargetResources[0].userPrincipalName) | extend AccountCustomEntity = userPrincipalName_ | extend AccountCustomEntity2 = userPrincipalName2_&nbsp;It does generate info needed in the logs tab. Such as who performed activity&nbsp;userPrincipalName_ and who was impacted&nbsp;userPrincipalName2_.But when I add this query to alert it only generates&nbsp;userPrincipalName_ name only.I want to see who performed what based on OperationName and who was impacted.Maybe you can assist me here as well?&nbsp;thanks in advance,Arnold&nbsp;

arnoldas · Answer

CliveWatson&nbsp;&nbsp;Hey, your help is much appreciated!&nbsp;I managed to display the information needed by adding one account as AccountCustomEntity and other by HostCustomEntity:AuditLogs| where ActivityDisplayName == "Add user"| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend userPrincipalName2_ = tostring(TargetResources[0].userPrincipalName) | extend AccountCustomEntity = userPrincipalName_ | extend HostCustomEntity = userPrincipalName2_&nbsp;This does work, but that's being said it is not accurate as it should be two&nbsp;AccountCustomEntites and one should be&nbsp;AccountCustomEntity = userPrincipalName_ which should display the username of account which started&nbsp;ActivityDisplayName and&nbsp;AccountCustomEntity2 should be impacted account.So maybe you know how to display two&nbsp;AccountCustomEntites?Or my approach is making no sense?&nbsp;Regards,Arnold

Forum Discussion

Display user role in AD

7 Replies

Resources