Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Hunting query that identifies guest or external accounts being added to privileged Entra ID directory roles. External accounts are identified by the presence of #EXT# in the UserPrincipalName, which is the standard suffix assigned by Entra ID to all guest and B2B invited users. Privileged roles covered include Global Administrator, Privileged Role Administrator, Security Administrator, Exchange Administrator, SharePoint Administrator, Application Administrator, Cloud Application Administrator, A
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | abed6064-9406-4171-a961-5fd38de5f79a |
| Tactics | Persistence, PrivilegeEscalation |
| Techniques | T1098.003 |
| Required Connectors | AzureActiveDirectory |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AuditLogs/GuestAccountAddedToPrivilegedRole.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊