T1199 Microsoft Sentinel · KQL

Detect Trusted Relationship in Microsoft Sentinel

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third-party relationships abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. These relationships include IT services contractors, managed security providers, and infrastructure contractors. In Office 365 and Azure AD environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1199 Trusted Relationship
Canonical reference
https://attack.mitre.org/techniques/T1199/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect suspicious trusted relationship abuse — delegated admin grants, cross-tenant access, and service provider account anomalies
let SensitiveOperations = dynamic([
    "Add delegated permission grant",
    "Add partner to cross-tenant access setting",
    "Add policy to cross-tenant access setting",
    "Set partner information",
    "Add member to role",
    "Add app role assignment to service principal",
    "Add service principal"
]);
let SuspiciousRoles = dynamic([
    "Global Administrator",
    "Privileged Role Administrator",
    "Exchange Administrator",
    "SharePoint Administrator",
    "Security Administrator",
    "Helpdesk Administrator",
    "User Administrator"
]);
// Part 1: New delegated admin relationship grants and partner configuration changes
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in (SensitiveOperations)
| extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorIP = tostring(InitiatedBy.user.ipAddress)
| extend InitiatorAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatorAppId = tostring(InitiatedBy.app.appId)
| extend TargetName = tostring(TargetResources[0].displayName)
| extend TargetType = tostring(TargetResources[0].type)
| extend TargetId = tostring(TargetResources[0].id)
| extend ModProps = tostring(TargetResources[0].modifiedProperties)
| where Result =~ "success"
| extend EventCategory = "DelegatedAdminGrant"
| project TimeGenerated, EventCategory, OperationName, InitiatorUPN, InitiatorIP,
          InitiatorAppName, InitiatorAppId, TargetName, TargetType, TargetId,
          ModProps, Result, CorrelationId
| union kind=outer (
    // Part 2: Cross-tenant sign-ins by external service providers accessing privileged resources
    SigninLogs
    | where TimeGenerated > ago(24h)
    | where ResultType == 0
    | where CrossTenantAccessType != "none" and isnotempty(CrossTenantAccessType)
    | where ResourceTenantId != HomeTenantId
    | extend IsPrivilegedApp = AppDisplayName has_any ("Exchange", "SharePoint", "Teams", "Security", "Compliance", "Azure Active Directory", "Graph")
    | where IsPrivilegedApp == true
    | extend EventCategory = "CrossTenantPrivilegedAccess"
    | project TimeGenerated, EventCategory,
              OperationName = strcat("Cross-Tenant Sign-In via ", CrossTenantAccessType),
              InitiatorUPN = UserPrincipalName,
              InitiatorIP = IPAddress,
              InitiatorAppName = AppDisplayName,
              InitiatorAppId = AppId,
              TargetName = ResourceDisplayName,
              TargetType = "Application",
              TargetId = ResourceTenantId,
              ModProps = tostring(DeviceDetail),
              Result = "Success",
              CorrelationId
)
| union kind=outer (
    // Part 3: Privileged role assignments to external/guest accounts (often MSP onboarding step)
    AuditLogs
    | where TimeGenerated > ago(24h)
    | where OperationName in ("Add member to role", "Add eligible member to role")
    | extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
    | extend InitiatorIP = tostring(InitiatedBy.user.ipAddress)
    | extend TargetUPN = tostring(TargetResources[0].userPrincipalName)
    | extend RoleName = tostring(TargetResources[1].displayName)
    | where RoleName in (SuspiciousRoles)
    | where TargetUPN contains "#EXT#" or TargetUPN contains "_" // Guest/external account patterns
    | where Result =~ "success"
    | extend EventCategory = "ExternalAccountPrivilegedRoleGrant"
    | project TimeGenerated, EventCategory,
              OperationName = strcat("Role Grant: ", RoleName, " to external account"),
              InitiatorUPN, InitiatorIP,
              InitiatorAppName = "",
              InitiatorAppId = "",
              TargetName = TargetUPN,
              TargetType = "User",
              TargetId = tostring(TargetResources[0].id),
              ModProps = RoleName,
              Result = "Success",
              CorrelationId
)
| sort by TimeGenerated desc
high severity medium confidence

Detects trusted relationship abuse across three dimensions in Azure AD and Office 365: (1) new delegated admin permission grants and partner cross-tenant access configuration changes in AuditLogs, signaling MSP relationship establishment or modification; (2) successful cross-tenant sign-ins by external service providers accessing privileged applications such as Exchange, SharePoint, and Security Center; (3) privileged role assignments to external or guest accounts (identified by #EXT# suffix or external UPN patterns). Together these cover the most common indicators of T1199 in cloud environments — partner relationship exploitation, GDAP/DAP abuse, and MSP-pivoted access. Requires Azure AD P1 for SigninLogs with CrossTenantAccessType field.

Data Sources

Azure Active Directory: AuditLogsAzure Active Directory: SigninLogsIdentity: User Account

Required Tables

AuditLogsSigninLogs

False Positives & Tuning

  • Legitimate MSP or IT service provider onboarding — new partner relationships being established with proper change management approval will trigger delegated admin grant events
  • Authorized Azure AD B2B guest user provisioning for vendors or contractors accessing collaboration tools like Teams or SharePoint
  • Microsoft first-party service accounts (e.g., Microsoft Support, Intune Service Principal) appearing as cross-tenant sign-ins when performing tenant management actions
  • Scheduled MSP maintenance windows where service provider accounts access privileged resources as part of contracted SLA obligations
  • Security team adding a MSSP or MDR provider with Global Reader or Security Reader role for monitoring purposes
Download portable Sigma rule (.yml)

Other platforms for T1199

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Delegated Admin Permission Grant via Azure AD PowerShell

    Expected signal: Azure AD AuditLogs: OperationName 'Add delegated permission grant', Result 'success', InitiatedBy.user.userPrincipalName = executing account, TargetResources[0].displayName = 'Microsoft Graph'. Visible in Microsoft 365 compliance portal under Audit search with Activity = 'Add delegated permission grant'.

  2. Test 2Assign Privileged Role to External Guest Account Simulating MSP Onboarding

    Expected signal: Azure AD AuditLogs: OperationName 'Add member to role', Result 'success', TargetResources[1].displayName = 'Global Reader', TargetResources[0].userPrincipalName contains '#EXT#'. Also generates 'Invite external user' event. Both visible in AuditLogs table within 5-10 minutes.

  3. Test 3Simulate MSP Network Logon from External IP Using Service Account

    Expected signal: Windows Security Event ID 4624: LogonType=3 (Network), TargetUserName='svc_msp_test', SourceNetworkAddress=127.0.0.1. Security Event ID 4672 if the account has elevated privileges. Visible in Windows Event Viewer under Security log within seconds of execution.

  4. Test 4Create New Service Principal and Grant API Permissions Simulating Post-Access Backdoor

    Expected signal: Azure AD AuditLogs: OperationName 'Add application', Result 'success', TargetResources[0].displayName = 'df00tech-detection-test-app'. Followed by OperationName 'Update application' with ModifiedProperties showing RequiredResourceAccess including Mail.Read scope. Both events include InitiatedBy.user.userPrincipalName of the executing account.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1199 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1078.004Cloud AccountsT1133External Remote ServicesT1550.001Application Access TokenT1136.003Cloud AccountT1098.001Additional Cloud CredentialsT1098.003Additional Cloud RolesT1087.004Cloud AccountT1114.002Remote Email CollectionT1195Supply Chain Compromise

Same Tactic: Initial Access

Popular Detections