Investigating IdentityInfo: The Account Looked Normal. The Permissions Didn't.
The sign-in looked legitimate.
MFA was successful.
Everything appeared normal.
Until investigators examined the account itself.
The user was not supposed to have elevated permissions.
IdentityInfo told a different story.
Lesson overview
Learn how IdentityInfo helps defenders understand who an account belongs to, what access it has and how much risk it represents.
Why IdentityInfo matters
Investigation scenario
Step 1 — Review identity records
- 1
- 2
- 3
- 4
- 5
- 6
- 7
IdentityInfo | where Timestamp > ago(30d) | project Timestamp, AccountUpn, AccountDisplayName, Department, JobTitle, Manager, IsAccountEnabled, RiskLevel | order by Timestamp desc
Step 2 — Investigate one user
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
let User = "user@company.com"; IdentityInfo | where AccountUpn =~ User | project Timestamp, AccountUpn, AccountDisplayName, Department, JobTitle, Manager, IsAccountEnabled, RiskLevel, RiskStatus, CriticalityLevel | order by Timestamp desc
Step 3 — Review privileged accounts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
IdentityInfo | where Timestamp > ago(30d) | where isnotempty(AssignedRoles) | project Timestamp, AccountUpn, AccountDisplayName, Department, JobTitle, AssignedRoles, RiskLevel | order by Timestamp desc
Step 4 — Investigate group memberships
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
let User = "user@company.com"; IdentityInfo | where AccountUpn =~ User | where isnotempty(GroupMembership) | mv-expand GroupMembership | project AccountUpn, AccountDisplayName, GroupName = tostring(GroupMembership) | order by GroupName asc
Step 5 — Find highly privileged users
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
IdentityInfo | where Timestamp > ago(30d) | where AssignedRoles has_any ("Global Administrator", "Privileged Role Administrator", "Security Administrator", "Exchange Administrator") | project AccountUpn, AccountDisplayName, Department, JobTitle, AssignedRoles, RiskLevel | order by AccountUpn asc
Step 6 — Build identity context
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
let User = "user@company.com"; IdentityInfo | where AccountUpn =~ User | project AccountUpn, AccountDisplayName, Type, Department, JobTitle, Manager, IsAccountEnabled, AssignedRoles, GroupMembership, RiskLevel, RiskStatus, CriticalityLevel, BlastRadius, TenantMembershipType | order by Timestamp desc
