Multiple admin membership removals from newly created admin.

Status: available
Severity: medium
Time window: 7d
Group by: Initiator, OperationName, Result, RoleName, Target
Source: github.com/Azure/Azure-Sentinel

This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.

MITRE ATT&CK coverage

Tactic	Techniques
Impact	`T1531` Account Access Removal

Event coverage

Provider	Event	Title
Entra-AuditLogs	_catch_all	Entra ID audit event (any operation)

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Admin promotion after Role Management Application Permission Grant (Kusto)
Bulk Changes to Privileged Account Permissions (Kusto)
Changes to PIM Settings (Kusto)
Detect PIM Alert Disabling activity (Kusto)
New External User Granted Admin Role (Kusto)
NRT Privileged Role Assigned Outside PIM (Kusto)
NRT User added to Microsoft Entra ID Privileged Groups (Kusto)
Power Platform - Account added to privileged Microsoft Entra roles (Kusto)

Rule body kusto

id: cda5928c-2c1e-4575-9dfa-07568bc27a4f
name: Multiple admin membership removals from newly created admin.
description: |
  'This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. 
   Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1h
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Impact
relevantTechniques:
  - T1531
tags:
  - DEV-0537
query: |
  let lookback = 7d; 
  let timeframe = 1h; 
  let GlobalAdminsRemoved = AuditLogs 
  | where TimeGenerated > ago(timeframe) 
  | where Category =~ "RoleManagement" 
  | where AADOperationType in ("Unassign", "RemoveEligibleRole") 
  | where ActivityDisplayName has_any ("Remove member from role", "Remove eligible member from role") 
  | mv-apply TargetResource = TargetResources on 
    (
        where TargetResource.type =~ "User"
        | extend Target = tostring(TargetResource.userPrincipalName),
                 props = TargetResource.modifiedProperties
    )
  | mv-apply Property = props on 
        (
            where Property.displayName =~ "Role.DisplayName"
            | extend RoleName = trim('"',tostring(Property.oldValue))
        )
  | where RoleName =~ "Global Administrator" // Add other Privileged role if applicable
  | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
  | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
  | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
  | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
  | extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName) 
  | where Initiator != "MS-PIM" and Initiator != "MS-PIM-Fairfax"  // Filtering PIM events  
  | summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Result; 
  let GlobalAdminsAdded = AuditLogs 
  | where TimeGenerated > ago(lookback) 
  | where Category =~ "RoleManagement" 
  | where AADOperationType in ("Assign", "AssignEligibleRole") 
  | where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role") and Result == "success" 
  | mv-apply TargetResource = TargetResources on 
    (
        where TargetResource.type =~ "User"
        | extend Target = tostring(TargetResource.userPrincipalName),
                 props = TargetResource.modifiedProperties
    )
  | mv-apply Property = props on 
        (
            where Property.displayName =~ "Role.DisplayName"
            | extend RoleName = trim('"',tostring(Property.newValue))
        )
  | where RoleName =~ "Global Administrator" // Add other Privileged role if applicable
  | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
  | extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, tostring(InitiatedBy.user.userPrincipalName)) 
  | where Initiator != "MS-PIM" and Initiator != "MS-PIM-Fairfax"  // Filtering PIM events 
  | summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result;
  GlobalAdminsAdded 
  | join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator 
  | where AddedGlobalAdminTime < RemovedGlobalAdminTime 
  | extend NoofAdminsRemoved = array_length(TargetAdmins) 
  | where NoofAdminsRemoved > 1
  | project AddedGlobalAdminTime, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Target, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved
  | extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0])
  | extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Target
      - identifier: Name
        columnName: TargetName
      - identifier: UPNSuffix
        columnName: TargetUPNSuffix
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: InitiatingUserPrincipalName
      - identifier: Name
        columnName: InitiatedByName
      - identifier: UPNSuffix
        columnName: InitiatedByUPNSuffix
  - entityType: Account
    fieldMappings:
      - identifier: AadUserId
        columnName: InitiatingAadUserId
  - entityType: Account
    fieldMappings:
      - identifier: AadUserId
        columnName: InitiatingAppServicePrincipalId
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: InitiatingIpAddress
version: 1.0.3
kind: Scheduled

Stages and Predicates

Parameters

let lookback = 7d;
let timeframe = 1h;

Let binding: `GlobalAdminsRemoved`

let GlobalAdminsRemoved = AuditLogs 
| where TimeGenerated > ago(timeframe) 
| where Category =~ "RoleManagement" 
| where AADOperationType in ("Unassign", "RemoveEligibleRole") 
| where ActivityDisplayName has_any ("Remove member from role", "Remove eligible member from role") 
| mv-apply TargetResource = TargetResources on 
  (
      where TargetResource.type =~ "User"
      | extend Target = tostring(TargetResource.userPrincipalName),
               props = TargetResource.modifiedProperties
  )
| mv-apply Property = props on 
      (
          where Property.displayName =~ "Role.DisplayName"
          | extend RoleName = trim('"',tostring(Property.oldValue))
      )
| where RoleName =~ "Global Administrator"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName) 
| where Initiator != "MS-PIM" and Initiator != "MS-PIM-Fairfax"
| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Result;

Derived from timeframe.

The stages below define let GlobalAdminsAdded (the rule's main pipeline source).

Stage 1: `source`

AuditLogs

Stage 2: `where`

| where TimeGenerated > ago(lookback)

Stage 3: `where`

| where Category =~ "RoleManagement"

Stage 4: `where`

| where AADOperationType in ("Assign", "AssignEligibleRole")

Stage 5: `where`

| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role") and Result == "success"

Stage 6: `kusto:mv-apply`

| mv-apply TargetResource = TargetResources on 
  (
      where TargetResource.type =~ "User"
      | extend Target = tostring(TargetResource.userPrincipalName),
               props = TargetResource.modifiedProperties
  )

Stage 7: `kusto:mv-apply`

| mv-apply Property = props on 
      (
          where Property.displayName =~ "Role.DisplayName"
          | extend RoleName = trim('"',tostring(Property.newValue))
      )

Stage 8: `where`

| where RoleName =~ "Global Administrator"

Stage 9: `extend`

| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)

Stage 10: `extend`

| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, tostring(InitiatedBy.user.userPrincipalName))

Stage 11: `where`

| where Initiator != "MS-PIM" and Initiator != "MS-PIM-Fairfax"

Stage 12: `summarize`

| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result

Threshold: lt RemovedGlobalAdminTime

The stages below run on GlobalAdminsAdded (the outer pipeline).

Stage 13: `join`

GlobalAdminsAdded
| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator

Stage 14: `where`

| where AddedGlobalAdminTime < RemovedGlobalAdminTime

Stage 15: `extend`

| extend NoofAdminsRemoved = array_length(TargetAdmins)

Stage 16: `where`

| where NoofAdminsRemoved > 1

Stage 17: `project`

| project AddedGlobalAdminTime, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Target, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved

Stage 18: `extend`

| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0])

Stage 19: `extend`

| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AADOperationType`	in	`Assign` transforms: `cased` `AssignEligibleRole` transforms: `cased` `RemoveEligibleRole` transforms: `cased` `Unassign` transforms: `cased`
`ActivityDisplayName`	match	`Add eligible member to role` `Add member to role` `Remove eligible member from role` `Remove member from role`
`AddedGlobalAdminTime`	lt	`RemovedGlobalAdminTime` transforms: `cased`
`Category`	eq	`RoleManagement`
`Initiator`	ne	`MS-PIM` transforms: `cased` `MS-PIM-Fairfax` transforms: `cased`
`NoofAdminsRemoved`	gt	`1` transforms: `cased`
`Result`	eq	`success` transforms: `cased`
`RoleName`	eq	`Global Administrator`
`displayName`	eq	`Role.DisplayName`
`type`	eq	`User`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`AddedGlobalAdminTime`	`project`
`InitiatingAadUserId`	`project`
`InitiatingAppName`	`project`
`InitiatingAppServicePrincipalId`	`project`
`InitiatingIpAddress`	`project`
`InitiatingUserPrincipalName`	`project`
`Initiator`	`project`
`NoofAdminsRemoved`	`project`
`RemovedGlobalAdminTime`	`project`
`Target`	`project`
`TargetAdmins`	`project`
`TargetName`	`extend`
`TargetUPNSuffix`	`extend`
`InitiatedByName`	`extend`
`InitiatedByUPNSuffix`	`extend`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Multiple admin membership removals from newly created admin.

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body kusto

Stages and Predicates

Parameters

Let binding: `GlobalAdminsRemoved`

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `where`

Stage 5: `where`

Stage 6: `kusto:mv-apply`

Stage 7: `kusto:mv-apply`

Stage 8: `where`

Stage 9: `extend`

Stage 10: `extend`

Stage 11: `where`

Stage 12: `summarize`

Stage 13: `join`

Stage 14: `where`

Stage 15: `extend`

Stage 16: `where`

Stage 17: `project`

Stage 18: `extend`

Stage 19: `extend`

Indicators

Output fields

Keyboard shortcuts

Search operators

Multiple admin membership removals from newly created admin.

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body kusto

Stages and Predicates

Parameters

Let binding: GlobalAdminsRemoved

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: where

Stage 5: where

Stage 6: kusto:mv-apply

Stage 7: kusto:mv-apply

Stage 8: where

Stage 9: extend

Stage 10: extend

Stage 11: where

Stage 12: summarize

Stage 13: join

Stage 14: where

Stage 15: extend

Stage 16: where

Stage 17: project

Stage 18: extend

Stage 19: extend

Indicators

Output fields

Let binding: `GlobalAdminsRemoved`

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `where`

Stage 5: `where`

Stage 6: `kusto:mv-apply`

Stage 7: `kusto:mv-apply`

Stage 8: `where`

Stage 9: `extend`

Stage 10: `extend`

Stage 11: `where`

Stage 12: `summarize`

Stage 13: `join`

Stage 14: `where`

Stage 15: `extend`

Stage 16: `where`

Stage 17: `project`

Stage 18: `extend`

Stage 19: `extend`