Azure provides a large number of role-based access control (RBAC) roles to provide fine-grained access to both Azure & Azure AD. It is best practice (especially for highly privileged roles) to use Azure Privileged Identity Management (PIM) to allow users to temporarily elevate their privileges as needed (similar to
Run as Administrator).
However, is it not necessarily easy to find out when someone has elevated their privileges. This is especially important for roles like
Global Administrator. There is an audit log in Azure AD, but you have to regularly review it.
View audit log report for Azure AD roles in Azure AD PIM – Microsoft Entra | Microsoft Learn
There are also automated alerts but these may not go to everyone who needs to see them.
An alternative solution is to get an alert (via email or any other system) when a highly privileged role has been activated via Log Analytics & Azure Monitor Alerts.
There are 3 steps to enable this solution.
- Enable AAD Diagnostic Logs and have them sent to a Log Analytics workspace
- Write a Kusto query which will retrieve the specific privilege escalations you are looking to be alerted on
- Set up Azure Alerts for the results of a Kusto query
Enable AAD Diagnostic Logs and have them sent to a Log Analytics Workspace
You must enable Diagnostic Settings in order to have AAD audit logs sent to a Log Analytics workspace. Your AAD tenant must be licensed with an Azure AD P2 license.
Stream Azure Active Directory logs to Azure Monitor logs – Microsoft Entra | Microsoft Learn
It may take a few minutes before logs start streaming from AAD to your Log Analytics workspace after enabling this feature.
Write a Kusto query which will retrieve the specific privilege escalations you are looking to be alerted on
A sample Kutso query for determining when PIM has been activated for a specific role is:
AuditLogs | where OperationName == 'Add member to role completed (PIM activation)' | where TargetResources.id == '62e90394-69f5-4237-9190-012177145e10'
AuditLogs is the table that contains PIM activations. The
TargetResources.id indicates what role as activated (you could also filter based upon TargetResources.
displayName == 'Global Administrator').
Here is a table with the GUIDs for each built-in AAD role.
Azure AD built-in roles – Azure Active Directory – Microsoft Entra | Microsoft Learn
Set up Azure Alerts for the results of a Kusto query
Finally, you need to set up a log query alert in Azure Monitor. You can do this from the Kusto query editor.