Entra ID Workload Identity and Privileged Role Hunting Pack: Three New Detection Queries

What Changed

Added three hunting queries addressing workload identity abuse and privileged role assignment anomalies - a detection area with limited existing coverage targeting active threat actor techniques (Storm-0558, Midnight Blizzard).

Detection Logic

Directory Role Assigned Outside PIM

• Primary data source: AuditLogs
• Core logic: detects permanent directory role assignments to privileged roles (Global Administrator, Privileged Role Administrator, Application Administrator) made via direct assignment path, bypassing Privileged Identity Management approval and justification requirements
• Entity types: Account (actor and target), IP
• Uses exact OperationName match “Add member to role.” to exclude PIM activation variants

Workload Identity Sign-in from New Country

• Primary data source: AADServicePrincipalSignInLogs
• Core logic: identifies service principal sign-ins from countries not present in the SP’s 14-day geographic baseline, using hint.strategy=broadcast on baseline join
• Entity types: Account, IP
• Detects stolen client credentials replayed from attacker infrastructure

Application App Role Assigned High Privilege

• Primary data source: AuditLogs
• Core logic: flags application role assignments to service principals where granted role is high-risk (Mail.ReadWrite, Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, Application.ReadWrite.All)
• Entity types: Account, IP
• Covers application-permission equivalent of consent grants, targeting persistent Exchange access mechanism

Security Impact (Visibility & Fidelity)

These queries address critical detection gaps where:

• Workload identities with stable infrastructure patterns suddenly sign in from new geographic locations indicating credential theft
• Privileged directory roles are assigned outside PIM workflows, bypassing approval and justification controls
• Application-level permissions grant tenant-wide access without user context, invisible to standard delegated permission reviews

MITRE Mapping

• Initial Access, Credential Access (T1078.004): Valid Accounts: Cloud Accounts - targeting service principal abuse
• Persistence, Credential Access (T1098.003): Account Manipulation: Additional Cloud Roles - detecting role assignment abuse
• Persistence, Credential Access (T1528): Steal Application Access Token - covering application permission grants

Affected Files

Hunting Queries/AuditLogs/ApplicationAppRoleAssignedHighPrivilege.yaml
Hunting Queries/AuditLogs/DirectoryRoleAssignedOutsidePIM.yaml
Hunting Queries/MultipleDataSources/WorkloadIdentitySignInFromNewCountry.yaml