Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

List All Global Admins In Your Tenant

Wayne Andes 2 min read

Description

This KQL query lists all accounts that have the Global Admin role assigned to their account. If you have enabled PIM, then only users that have “pimmed” to Global Admin in the search period will be shown.

Query

Microsoft Sentinel
Kusto
IdentityInfo
| where AssignedRoles contains "Global Admin"
| distinct AccountName, AccountDomain, AccountUPN, AccountSID
// If PIM is enabled for Global Admins the list shows only the Global Admins that have used PIM to gain the privileges.

References

You May Also Like

Visualize Devices That Initiate The Most Cleartext LDAP Authentications

Wayne Andes

List PowerShell Invoke-Webrequest Execution

Wayne Andes

List Local User Account Created

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *