How to set up alerts when a user uses Azure Privileged Identity Management to activate Global Administrator (or any other role)

Azure provides a large number of role-based access control (RBAC) roles to provide fine-grained access to both Azure & Azure AD. It is best practice (especially for highly privileged roles) to use Azure Privileged Identity Management (PIM) to allow users to temporarily elevate their privileges as needed (similar to sudo or Run as Administrator).

However, is it not necessarily easy to find out when someone has elevated their privileges. This is especially important for roles like Global Administrator. There is an audit log in Azure AD, but you have to regularly review it.

View audit log report for Azure AD roles in Azure AD PIM – Microsoft Entra | Microsoft Learn

There are also automated alerts but these may not go to everyone who needs to see them.

An alternative solution is to get an alert (via email or any other system) when a highly privileged role has been activated via Log Analytics & Azure Monitor Alerts.

There are 3 steps to enable this solution.

  • Enable AAD Diagnostic Logs and have them sent to a Log Analytics workspace
  • Write a Kusto query which will retrieve the specific privilege escalations you are looking to be alerted on
  • Set up Azure Alerts for the results of a Kusto query

Enable AAD Diagnostic Logs and have them sent to a Log Analytics Workspace

You must enable Diagnostic Settings in order to have AAD audit logs sent to a Log Analytics workspace. Your AAD tenant must be licensed with an Azure AD P2 license.

Stream Azure Active Directory logs to Azure Monitor logs – Microsoft Entra | Microsoft Learn

It may take a few minutes before logs start streaming from AAD to your Log Analytics workspace after enabling this feature.

Write a Kusto query which will retrieve the specific privilege escalations you are looking to be alerted on

A sample Kutso query for determining when PIM has been activated for a specific role is:

AuditLogs
| where OperationName == 'Add member to role completed (PIM activation)'
| where TargetResources[0].id == '62e90394-69f5-4237-9190-012177145e10'

The AuditLogs is the table that contains PIM activations. The TargetResources[0].id indicates what role as activated (you could also filter based upon TargetResources[0].displayName == 'Global Administrator').

Here is a table with the GUIDs for each built-in AAD role.

Azure AD built-in roles – Azure Active Directory – Microsoft Entra | Microsoft Learn

Set up Azure Alerts for the results of a Kusto query

Finally, you need to set up a log query alert in Azure Monitor. You can do this from the Kusto query editor.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *