Role Report

Query Information

Description

This query can be used to draw an report of the Entra ID role memberships for all users.

Defender XDR

let TimeFrame = 30d;
IdentityInfo
| where Timestamp > ago(TimeFrame)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand AssignedRoles
| where isnotempty(AssignedRoles)
| summarize TotalRoles = dcount(tostring(AssignedRoles)), MemberOf = make_set(tostring(AssignedRoles), 1000) by AccountObjectId, AccountDisplayName, AccountUPN
| extend ReportDate = now()
| sort by TotalRoles desc

Sentinel

let TimeFrame = 30d;
IdentityInfo
| where TimeGenerated > ago(TimeFrame)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand AssignedRoles
| where isnotempty(AssignedRoles)
| summarize TotalRoles = dcount(tostring(AssignedRoles)), MemberOf = make_set(tostring(AssignedRoles), 1000) by AccountObjectId, AccountDisplayName, AccountUPN
| extend ReportDate = now()
| sort by TotalRoles desc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RoleReport.md

RoleReport.md

Role Report

Query Information

Description

Defender XDR

Sentinel

Files

RoleReport.md

Latest commit

History

RoleReport.md

File metadata and controls

Role Report

Query Information

Description

Defender XDR

Sentinel