When it gets to know your environment, I always want to know who added admin roles to a user account. At least, I like to know who added which user to an admin role.
But…
In LogAnalytics you’ll find AuditLogs, but what to do you need to check? Do I find PIM activations interesting? Probably not. Do I want to all see PIM elevations? Maybe.
What I do find interesting in specific is the behaviour of adding user accounts outside PIM and who added a possible eligibility/assignment of an admin role to one of the users.
But looking up that information might end you up frustrated with a lot of information you will never use in any case.
Most of the time I use a KQL query that looks up the 2 mentioned scenarios in 1 query. With this query you can create alerts in LogAnalytics to monitor the behaviour:
- Who added an admin role outside PIM? (users with a name “admin”)
- Who added an eligibility of an admin role in PIM?
AuditLogs
| where (OperationName contains "Add member to role" and TargetResources contains "admin" and Identity <> "MS-PIM" and LoggedByService <> "PIM") or (OperationName contains "Add eligible member to role in PIM requested" and TargetResources contains "admin")In case you have specific users with the name “admin” you can also workaround this by using the following query, that will only target by roles explicitly:
AuditLogs
| where role contains "Administrator" and (where (OperationName contains "Add member to role" and Identity <> "MS-PIM" and LoggedByService <> "PIM") or (OperationName contains "Add eligible member to role in PIM requested"))If you use Sentinel, you’ll see some of the available analytics rules that will do the same for you, but as in my case, not every customer uses Sentinel.
And we DO want to know what is going on in the customer environment 😉
