Forum Discussion
Self added to privliged groups
- mikhailfSteel Contributor
Hello guidovbrakel,
Could you please elaborate on the question?
This query does trigger when someone adds him/herself to a privileged role (an Admin role).
- guidovbrakelBrass ContributorHi, I want to be alerted only when someone add himself to a PIM role, so not when someone is added to a PIM role
- mikhailfSteel Contributor
Please, try this:
AuditLogs
| where Category =~ "RoleManagement"
| where AADOperationType in ("ActivateRole")
| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
| extend DisplayName = TargetResources[0].displayName
| where DisplayName contains "Admin"
| extend InitiatorUser = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend TargetUser = tostring(TargetResources[2].userPrincipalName)
| extend check = iif(InitiatorUser == TargetUser, "Success", "Fail")
| where check == "Success"
| summarize by bin(TimeGenerated, 1h), OperationName, tostring(DisplayName), TargetUser, tostring(InitiatorUser), ResultPlease, note that the query depends on your environment and there can be some changes.