KQL Search

Query Details

HomeAI ToolsDevice Query

AD Provisioning Attribute Modification Report

Query

//This query tracks changes to AD provisioning attributes
//Compares Workday source data with On-Premises AD target data
AADProvisioningLogs
| where TimeGenerated > ago(30d)
| where array_length(todynamic(ModifiedProperties)) > 1
| extend SourceIdentity = parse_json(SourceIdentity)
| extend TargetIdentity = parse_json(TargetIdentity)
| extend SourceSystem = parse_json(SourceSystem)
| extend TargetSystem = parse_json(TargetSystem)
| extend EmployeeId = tostring(SourceIdentity.Id)
| extend TargetID = tostring(TargetIdentity.Id)
| where SourceSystem.Name == 'Workday'
| where TargetSystem.Name == 'On Premises Active Directory'
| mv-apply mp = parse_json(ModifiedProperties) on
(
 where mp.newValue != '' 
 | extend NewValue = tostring(mp.newValue)
 | extend Attribute = tostring(mp.displayName)
  | extend OldValue = parse_json(ProvisioningSteps)[2]["details"][Attribute]
  | where OldValue != ''
  | where NewValue != OldValue
 )
| project EmployeeId, Attribute, OldValue, NewValue, TargetID
| order by EmployeeId, Attribute

Explanation

This query is designed to track changes in Active Directory (AD) provisioning attributes by comparing data from Workday (a human resources system) with data from an on-premises Active Directory system. Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at logs from Azure Active Directory (AAD) provisioning over the past 30 days.

  2. Filter Changes: It filters for records where more than one attribute has been modified.

  3. Extract Information: It extracts and parses JSON data to get details about the source and target systems, specifically focusing on Workday as the source and On-Premises Active Directory as the target.

  4. Identify Changes: For each modified property, it checks if the new value is different from the old value and ensures that both values are not empty.

  5. Output: It lists the employee ID, the attribute that changed, the old value, the new value, and the target ID, ordering the results by employee ID and attribute name.

In essence, this query helps identify discrepancies or updates in employee data between Workday and an on-premises AD system, focusing on attributes that have changed.

Details

Suryendu Bhattacharyya profile picture

Suryendu Bhattacharyya

Released: November 10, 2024

Tables

AADProvisioningLogs

Keywords

AADProvisioningLogsActiveDirectoryWorkdayEmployeeIdAttributeTargetID

Operators

AADProvisioningLogs|where>ago()array_length()todynamic()>extendparse_json()tostring()==mv-applyon!=projectorder by

Actions