Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Power Platform - Account added to privileged Microsoft Entra roles

Power Platform - Account added to privileged Microsoft Entra roles

Back
Id71d829d6-eb50-4a17-8a64-655fae8d71e1
RulenamePower Platform - Account added to privileged Microsoft Entra roles
DescriptionIdentifies changes to privileged directory roles impacting Power Platform:

- Dynamics 365 Admins

- Power Platform Admins

- Fabric Admins
SeverityLow
TacticsPrivilegeEscalation
TechniquesT1078
T1068
T1548
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Account added to privileged Microsoft Entra roles.yaml
Version3.2.1
Arm template71d829d6-eb50-4a17-8a64-655fae8d71e1.json
Deploy To Azure
// 44367163-eba1-44c3-98af-f5787879f96a = Dynamics 365 Administrator
// 11648597-926c-4cf3-9c36-bcebb0ba8dcc = Power Platform Administrator
// a9ea8996-122f-4c74-9520-8edcd192826c = Fabric Administrator
let query_frequency = 1h;
let role_template_ids = dynamic(["44367163-eba1-44c3-98af-f5787879f96a", "11648597-926c-4cf3-9c36-bcebb0ba8dcc", "a9ea8996-122f-4c74-9520-8edcd192826c"]);
let monitored_activities = dynamic(["Assign", "AssignGrantedRole", "AssignPermanentGrantedRole", "AssignPermanentEligibleRole", "RoleElevatedOutsidePimAlert"]);
AuditLogs
| where TimeGenerated >= ago(query_frequency)
| where Category == "RoleManagement"
    and TargetResources has_any (role_template_ids)
    and AADOperationType in (monitored_activities)
    and Identity != "MS-PIM" and Identity != "MS-PIM-Fairfax"
| extend
    UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName),
    AadUserId = tostring(parse_json(tostring(InitiatedBy.user)).id),
    IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress),
    RoleName = tostring(TargetResources[0].displayName),
    UserAdded = tostring(TargetResources[2].userPrincipalName)
| extend
    RoleName = iif(isempty(RoleName), tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue), RoleName),
    UserAdded = iif(isempty(UserAdded), tostring(parse_json(tostring(TargetResources[0].userPrincipalName))), UserAdded),
    CloudAppId = int(32780),
    AccountName = tostring(split(UserPrincipalName, '@')[0]),
    UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
| project
    TimeGenerated,
    Identity,
    UserPrincipalName,
    AadUserId,
    RoleName,
    OperationName,
    UserAdded,
    TargetResources,
    CloudAppId,
    AccountName,
    UPNSuffix

queryPeriod: 1d
query: |
  // 44367163-eba1-44c3-98af-f5787879f96a = Dynamics 365 Administrator
  // 11648597-926c-4cf3-9c36-bcebb0ba8dcc = Power Platform Administrator
  // a9ea8996-122f-4c74-9520-8edcd192826c = Fabric Administrator
  let query_frequency = 1h;
  let role_template_ids = dynamic(["44367163-eba1-44c3-98af-f5787879f96a", "11648597-926c-4cf3-9c36-bcebb0ba8dcc", "a9ea8996-122f-4c74-9520-8edcd192826c"]);
  let monitored_activities = dynamic(["Assign", "AssignGrantedRole", "AssignPermanentGrantedRole", "AssignPermanentEligibleRole", "RoleElevatedOutsidePimAlert"]);
  AuditLogs
  | where TimeGenerated >= ago(query_frequency)
  | where Category == "RoleManagement"
      and TargetResources has_any (role_template_ids)
      and AADOperationType in (monitored_activities)
      and Identity != "MS-PIM" and Identity != "MS-PIM-Fairfax"
  | extend
      UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName),
      AadUserId = tostring(parse_json(tostring(InitiatedBy.user)).id),
      IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress),
      RoleName = tostring(TargetResources[0].displayName),
      UserAdded = tostring(TargetResources[2].userPrincipalName)
  | extend
      RoleName = iif(isempty(RoleName), tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue), RoleName),
      UserAdded = iif(isempty(UserAdded), tostring(parse_json(tostring(TargetResources[0].userPrincipalName))), UserAdded),
      CloudAppId = int(32780),
      AccountName = tostring(split(UserPrincipalName, '@')[0]),
      UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
  | project
      TimeGenerated,
      Identity,
      UserPrincipalName,
      AadUserId,
      RoleName,
      OperationName,
      UserAdded,
      TargetResources,
      CloudAppId,
      AccountName,
      UPNSuffix  
version: 3.2.1
name: Power Platform - Account added to privileged Microsoft Entra roles
entityMappings:
- fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  entityType: CloudApplication
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Account added to privileged Microsoft Entra roles.yaml
alertDetailsOverride:
  alertDisplayNameFormat: Power Platform - Account added to privileged role {{RoleName}}
  alertDescriptionFormat: 'A user {{UserAdded}} was added to one of the Power Platform administrative roles: {{{RoleName}}'
description: |
  Identifies changes to privileged directory roles impacting Power Platform:
  - Dynamics 365 Admins
  - Power Platform Admins
  - Fabric Admins  
kind: Scheduled
status: Available
severity: Low
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
id: 71d829d6-eb50-4a17-8a64-655fae8d71e1
relevantTechniques:
- T1078
- T1068
- T1548