maester365
diff --git a/‎powershell/Maester.psd1‎
Lines changed: 2 additions & 0 deletions b/‎powershell/Maester.psd1‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎powershell/internal/xspm/Get-MtXspmUnifiedIdentityInfo.ps1‎
Lines changed: 47 additions & 9 deletions b/‎powershell/internal/xspm/Get-MtXspmUnifiedIdentityInfo.ps1‎
Lines changed: 47 additions & 9 deletions
diff --git a/‎powershell/public/xspm/Test-MtXspmEnabledPrivilegedUsersLinkedToDisabledIdentity.md‎
Lines changed: 7 additions & 0 deletions b/‎powershell/public/xspm/Test-MtXspmEnabledPrivilegedUsersLinkedToDisabledIdentity.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎powershell/public/xspm/Test-MtXspmEnabledPrivilegedUsersLinkedToDisabledIdentity.ps1‎
Lines changed: 81 additions & 0 deletions b/‎powershell/public/xspm/Test-MtXspmEnabledPrivilegedUsersLinkedToDisabledIdentity.ps1‎
Lines changed: 81 additions & 0 deletions
diff --git a/‎powershell/public/xspm/Test-MtXspmPrivilegedUsersLinkedToIdentity.md‎
Lines changed: 14 additions & 0 deletions b/‎powershell/public/xspm/Test-MtXspmPrivilegedUsersLinkedToIdentity.md‎
Lines changed: 14 additions & 0 deletions
@@ -169,6 +169,8 @@
     'Test-MtXspmAppRegWithPrivilegedUnusedPermissions',
     'Test-MtXspmExposedCredentialsForPrivilegedUsers',
     'Test-MtXspmHybridUsersWithAssignedEntraIdRoles',
+    'Test-MtXspmEnabledPrivilegedUsersLinkedToDisabledIdentity',
+    'Test-MtXspmPrivilegedUsersLinkedToIdentity',
     'Test-MtXspmPendingApprovalCriticalAssetManagement',
     'Test-MtOperationApprovalPolicies',
     'Test-MtDeviceRegistrationLocalAdminsGlobalAdmin',
 
@@ -112,14 +112,14 @@ function Get-MtXspmUnifiedIdentityInfo {
                 | where tolower(AccountDisplayName) contains tolower(ServicePrincipalName) and AccountObjectId contains tostring(ServicePrincipalObjectId)
                 | where Timestamp >ago(14d)
                 | summarize arg_max(Timestamp, *) by AccountObjectId
-                | project ServicePrincipalName = AccountDisplayName, ServicePrincipalId = AccountObjectId, CriticalityLevel
+                | extend AccountStatus = iff(IsAccountEnabled == true, 'Enabled', 'Disabled')
+                | project ServicePrincipalName = AccountDisplayName, ServicePrincipalId = AccountObjectId, CriticalityLevel, AccountStatus
             // Lookup for OAuth application details
             | lookup (
                 OAuthAppInfo
                     | where Timestamp >ago(30d)
                     | where tolower(AppName) contains tolower(ServicePrincipalName) and ServicePrincipalId contains tostring(ServicePrincipalObjectId)
-                    | extend OAuthAppInfoAppDisplayName = AppName
-                    | summarize arg_max(Timestamp, *) by ServicePrincipalId, OAuthAppInfoAppDisplayName
+                    | summarize arg_max(Timestamp, *) by ServicePrincipalId
             ) on ServicePrincipalId
             // Lookup for Graph API Classification
             | lookup (
@@ -270,10 +270,8 @@ function Get-MtXspmUnifiedIdentityInfo {
             ) on XspmGraphOAuthAppNodeId
             | extend CriticalityLevel = toint(parse_json(XspmCriticalAssetDetails)['criticalityLevel'])
             | project-away XspmGraphNodeId, XspmGraphNodeId1, ServicePrincipalId1, ServicePrincipalId2, XspmGraphNodeId1, XspmGraphNodeId2, TargetNodeId, XspmGraphOAuthAppNodeId, XspmGraphOAuthAppNodeId1
-            | extend ServicePrincipalName = coalesce(ServicePrincipalName, OAuthAppInfoAppDisplayName)
-            | extend ServicePrincipalName = coalesce(ServicePrincipalName, ServicePrincipalId)
             | sort by ServicePrincipalName asc
-            | project Timestamp, TimeGenerated, ServicePrincipalName, ServicePrincipalId, OAuthAppId, CriticalityLevel, AddedOnTime, LastModifiedTime, AppStatus, VerifiedPublisher, IsAdminConsented, AppOrigin, AppOwnerTenantId, ApiPermissions, AssignedAzureRoles, AssignedEntraRoles, AuthenticatedBy, OwnedBy
+            | project Timestamp, TimeGenerated, ServicePrincipalName, ServicePrincipalId, OAuthAppId, CriticalityLevel, AddedOnTime, LastModifiedTime, AppStatus, VerifiedPublisher, IsAdminConsented, AppOrigin, AppOwnerTenantId, ApiPermissions, AssignedAzureRoles, AssignedEntraRoles, AuthenticatedBy, OwnedBy, AccountStatus
             | extend Classification = case(
                 AssignedEntraRoles has 'ControlPlane' or ApiPermissions has 'ControlPlane', 'ControlPlane',
                 AssignedEntraRoles has 'ManagementPlane' or ApiPermissions has 'ManagementPlane', 'ManagementPlane',
@@ -289,7 +287,27 @@ function Get-MtXspmUnifiedIdentityInfo {
             | where Type == 'User'
             | where tolower(AccountDisplayName) contains tolower(ObjectName) and AccountObjectId contains tostring(ObjectId)
             | extend OnPremSynchronized = iff(isnotempty(OnPremObjectId), 'true', 'false')
-            | extend IsDeleted = iff(isnotempty(DeletedDateTime), 'true', 'false');
+            | extend IsDeleted = iff(isnotempty(DeletedDateTime), 'true', 'false')
+            | extend AccountStatus = iff(IsAccountEnabled == true, 'Enabled', 'Disabled')
+            // Enrichment to primary work account
+            | join kind=leftouter (
+                IdentityAccountInfo
+                | where SourceProvider == @'AzureActiveDirectory'
+                | where tolower(DisplayName) contains tolower(ObjectName) and SourceProviderAccountId contains tostring(ObjectId)
+                | summarize arg_max(TimeGenerated, *) by AccountId
+                | where IsPrimary == false
+                | project TimeGenerated, DisplayName, SourceProviderAccountId, IdentityId, IdentityLinkBy, IdentityLinkType, IsPrimary, AccountId
+                | join kind = leftouter (
+                    IdentityAccountInfo
+                        | where SourceProvider == @'AzureActiveDirectory'
+                        | summarize arg_max(TimeGenerated, *) by AccountId
+                        | where IsPrimary == true
+                        | project IdentityId, AccountObjectId = SourceProviderAccountId, AccountUpn, AccountStatus
+                ) on IdentityId
+                | extend AssociatedPrimaryAccount = bag_pack_columns(AccountObjectId, AccountUpn, AccountStatus, IdentityLinkType, IdentityId)
+                | project AccountObjectId = SourceProviderAccountId, AssociatedPrimaryAccount, PrimaryAccountObjectId = AccountObjectId
+            ) on AccountObjectId
+            | project-away AccountObjectId1;
             let AllWorkloads = Int_WorkloadIdentityInfoXdr(ServicePrincipalName=tolower(ObjectName),ServicePrincipalObjectId=tostring(ObjectId))
             | extend Type = 'Workload'
             | project-rename AccountObjectId = ServicePrincipalId, AccountDisplayName = ServicePrincipalName;
@@ -300,8 +318,28 @@ function Get-MtXspmUnifiedIdentityInfo {
             | summarize arg_max(TimeGenerated, *) by AccountObjectId
             | where Type == 'User'
             | where tolower(AccountDisplayName) contains tolower(ObjectName) and AccountObjectId contains tostring(ObjectId)
+            | extend AccountStatus = iff(IsAccountEnabled == true, 'Enabled', 'Disabled')
             | summarize arg_max(TimeGenerated, *) by AccountObjectId
             | join kind=anti (PrivilegedUsers | where TimeGenerated > ago(14d)) on AccountObjectId
+            // Enrichment to primary work account
+            | join kind=leftouter (
+                IdentityAccountInfo
+                | where SourceProvider == @'AzureActiveDirectory'
+                | where tolower(DisplayName) contains tolower(ObjectName) and SourceProviderAccountId contains tostring(ObjectId)
+                | summarize arg_max(TimeGenerated, *) by AccountId
+                | where IsPrimary == false
+                | project TimeGenerated, DisplayName, SourceProviderAccountId, IdentityId, IdentityLinkBy, IdentityLinkType, IsPrimary, AccountId
+                | join kind = leftouter (
+                    IdentityAccountInfo
+                        | where SourceProvider == @'AzureActiveDirectory'
+                        | summarize arg_max(TimeGenerated, *) by AccountId
+                        | where IsPrimary == true
+                        | project IdentityId, AccountObjectId = SourceProviderAccountId, AccountUpn, AccountStatus
+                ) on IdentityId
+                | extend AssociatedPrimaryAccount = bag_pack_columns(AccountObjectId, AccountUpn, IdentityLinkType, IdentityId, AccountStatus)
+                | project AccountObjectId = SourceProviderAccountId, AssociatedPrimaryAccount, PrimaryAccountObjectId = AccountObjectId
+            ) on AccountObjectId
+            | project-away AccountObjectId1
             | extend OnPremSynchronized = iff(isnotempty(OnPremObjectId), 'true', 'false')
             | extend IsDeleted = iff(isnotempty(DeletedDateTime), 'true', 'false')
             | project-away ReportId, AssignedRoles, PrivilegedEntraPimRoles;
@@ -322,9 +360,9 @@ function Get-MtXspmUnifiedIdentityInfo {
             | extend RuleName = tostring(CriticalityData)
             | extend ObjectId = iff(EntityType['type'] == 'AadObjectId', tolower(tostring(extract('objectid=([\\w-]+)', 1, tostring(parse_json(EntityIds)['id'])))), tolower(tostring(EntityType['id'])))
             | extend CriticalAssetDetail = bag_pack_columns(CriticalityLevel, RuleName)
-            | summarize CriticalAssetDetails = make_set_if(CriticalAssetDetail, tostring(CriticalAssetDetail) !contains '') by AccountObjectId = ObjectId
+            | summarize CriticalAssetDetails = make_set_if(CriticalAssetDetail, isnotempty(CriticalAssetDetail)) by AccountObjectId = ObjectId
             ) on AccountObjectId
-            | project-reorder AccountObjectId, AccountDisplayName, Type, CriticalityLevel, CriticalAssetDetails, Classification, AssignedAzureRoles, AssignedEntraRoles, ApiPermissions;
+            | project-reorder AccountObjectId, AccountDisplayName, AccountStatus, Type, CriticalityLevel, CriticalAssetDetails, Classification, AssignedAzureRoles, AssignedEntraRoles, ApiPermissions, AssociatedPrimaryAccount;
         };
         // Lookback feature is limited to user identities only
         UnifiedIdentityInfoXdr(ObjectName='',ObjectId='',LookbackTimestamp=datetime(now))
 
@@ -0,0 +1,7 @@
+Reviewing the enabled status of a privileged account when the linked user identity has been disabled is critical to prevent orphaned high‑risk access. If a normal work account is deactivated (for example, because the user left the organization) but the related privileged account remains enabled, an attacker or former employee could still use that privileged identity to access sensitive systems, change security settings, or exfiltrate data unnoticed. Regularly checking and aligning the status of privileged accounts with their primary identities helps enforce least privilege, reduces the attack surface, and ensures that privileges are revoked promptly when a user’s employment or role ends.
+
+### How to fix
+Review the results from this check and verify whether it is legitimate for the privileged user account to remain enabled when the associated primary work account has been disabled.
+
+<!--- Results --->
+%TestResult%
@@ -0,0 +1,81 @@
+<#
+.SYNOPSIS
+    Tests if enabled privileged users with assigned high privileged Entra ID roles or criticality level (<= 1) are linked to a disabled identity in Microsoft Defender XDR.
+
+.DESCRIPTION
+    This function checks if any enabled privileged users with assigned high privileged Entra ID roles or criticality level (<= 1) are linked to a disabled identity in Microsoft Defender XDR. Having enabled privileged users linked to disabled identities can pose a security risk, as it may indicate orphaned privileged accounts that could be exploited by attackers.
+
+.OUTPUTS
+    [bool] - Returns $true if no enabled privileged users are linked to disabled identities, otherwise returns $false.
+
+.EXAMPLE
+    Test-MtXspmEnabledPrivilegedUsersLinkedToDisabledIdentity
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtXspmEnabledPrivilegedUsersLinkedToDisabledIdentity
+#>
+
+function Test-MtXspmEnabledPrivilegedUsersLinkedToDisabledIdentity {
+    [CmdletBinding()]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Justification = 'This test checks multiple users and roles.')]
+    [OutputType([bool])]
+    param()
+
+    $UnifiedIdentityInfoExecutable = Get-MtXspmUnifiedIdentityInfo -ValidateRequiredTablesOnly
+    if ( $UnifiedIdentityInfoExecutable -eq $false) {
+            Add-MtTestResultDetail -SkippedBecause 'Custom' -SkippedCustomReason 'This test requires availability of MDA App Governance and MDI to get data for Defender XDR Advanced Hunting tables. Check https://maester.dev/docs/tests/MT.1081/#Prerequisites for more information.'
+            return $null
+    }
+
+    try {
+        Write-Verbose "Get details from UnifiedIdentityInfo ..."
+        $UnifiedIdentityInfo = Get-MtXspmUnifiedIdentityInfo
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+
+    $EnabledPrivUsersToDisabledAccounts = $UnifiedIdentityInfo `
+        | Where-Object {
+                $_.Type -eq "User" `
+                -and $_.AccountStatus -eq "Enabled" `
+                -and (($_.Classification -eq "ControlPlane" -or $_.Classification -eq "ManagementPlane") -or $_.CriticalityLevel -le 1) `
+                -and $_.AssociatedPrimaryAccount.AccountStatus -eq "Disabled" `
+            } `
+        | Sort-Object Classification, AccountDisplayName
+
+    $Severity = "Medium"
+
+    if ([string]::IsNullOrEmpty($EnabledPrivUsersToDisabledAccounts)) {
+        $testResultMarkdown = "Well done. No enabled privileged or critical users linked to disabled identity."
+    } else {
+        $testResultMarkdown = "At least one enabled critical or privileged user is linked to a disabled identity.`n`n%TestResult%"
+
+        $result = "| AccountName | Classification | CriticalityLevel | Linked Identity |`n"
+        $result += "| --- | --- | --- | --- |`n"
+
+        Write-Verbose "Found $($EnabledPrivUsersToDisabledAccounts.Count) enabled and privileged users linked to disabled identities in total."
+
+        foreach ($EnabledPrivUsersToDisabledAccount in $EnabledPrivUsersToDisabledAccounts) {
+            $filteredDirectoryRoles = $EnabledPrivUsersToDisabledAccount.AssignedEntraRoles | Where-Object { $_.Classification -eq "ControlPlane" -or $_.RoleIsPrivileged -eq $True} | Select-Object RoleDefinitionName, Classification
+            $UserSensitiveDirectoryRoles = $filteredDirectoryRoles | foreach-object { (Get-MtXspmPrivilegedClassificationIcon -AdminTierLevelName $_.Classification) + " " + $_.RoleDefinitionName }
+            $UserSensitiveDirectoryRolesResult = @()
+            $UserSensitiveDirectoryRoles | ForEach-Object {
+                $UserSensitiveDirectoryRolesResult += '`' + $_ + '`'
+            }
+            $AdminTierLevelIcon = Get-MtXspmPrivilegedClassificationIcon -AdminTierLevelName $EnabledPrivUsersToDisabledAccount.Classification
+            if ($EnabledPrivUsersToDisabledAccount.Classification -eq "ControlPlane") {
+                $Severity = "High"
+            }
+
+            $PrivilegedUserLink = "[$($EnabledPrivUsersToDisabledAccount.AccountDisplayName)](https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/overview/userId/$($EnabledPrivUsersToDisabledAccount.AccountObjectId))"
+            $PrimaryIdentityLink = "[$($EnabledPrivUsersToDisabledAccount.AssociatedPrimaryAccount.AccountUpn)](https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/overview/userId/$($EnabledPrivUsersToDisabledAccount.AssociatedPrimaryAccount.AccountObjectId))"
+            $result += "| $($AdminTierLevelIcon) $($PrivilegedUserLink) | $($EnabledPrivUsersToDisabledAccount.Classification) | $($EnabledPrivUsersToDisabledAccount.CriticalityLevel) | $($PrimaryIdentityLink) |`n"
+        }
+        $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result
+    }
+    Add-MtTestResultDetail -Result $testResultMarkdown -Severity $Severity
+
+    $result = [string]::IsNullOrEmpty($EnabledPrivUsersToDisabledAccounts)
+    return $result
+}
@@ -0,0 +1,14 @@
+Linking a privileged user account to the primary work account in Microsoft Defender XDR makes it easier to detect, prioritize, and contain attacks that target highly sensitive identities. It also improves incident response because all relevant activity and risk signals are correlated to the real person behind both identities, reducing blind spots and investigation time.
+
+This use case is explicitly described in the Defender XDR documentation:
+A user might have two accounts, one for everyday work and another with elevated permissions for administrative tasks.
+Example
+
+john.smith@company.com (regular account)
+john.smith.admin@company.com (privileged account)
+
+### How to fix
+Review the accounts in the Identity inventory of Microsoft Defender portal and add a [manual link](https://learn.microsoft.com/en-us/defender-for-identity/link-unlink-account-to-identity) from the identity page of the (primary) user account to the privileged account.
+
+<!--- Results --->
+%TestResult%