MicrosoftGraphActivityLogs App Enrichment AADNonInteractiveUserSignInLogs Based
App Enrichment AAD Non Interactive User Sign In Logs
Query
let ApplicationName = AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by ResourceIdentity
| project-rename ApplicationName = ResourceDisplayName
| distinct ApplicationName, ResourceIdentity;
MicrosoftGraphActivityLogs
// Your filter here
| lookup kind=leftouter ApplicationName on $left.AppId == $right.ResourceIdentity
| project-reorder AppId, ApplicationNameAbout this query
MicrosoftGraphActivityLogs App Enrichment AADNonInteractiveUserSignInLogs Based
Query Information
Description
This query enriches the MicrosoftGraphActivityLogs with Application information from the AADNonInteractiveUserSignInLogs table to get more context in the results.
This query does have a limitation, a user must have signed in to the application to show up in the logs. An alternative KQL query is available that leverages the externaldata operator to solve this issue: App Enrichment ExternalData
References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs
Sentinel
Explanation
This query is designed to enhance the information available in the Microsoft Graph Activity Logs by adding application details from another data source, specifically the AAD Non-Interactive User Sign-In Logs. Here's a simple breakdown of what the query does:
-
Extract Application Information:
- It first looks at the AAD Non-Interactive User Sign-In Logs from the past 30 days.
- It identifies the most recent log entry for each application (using
arg_maxto get the latest entry based onTimeGenerated). - It then extracts and renames the application's display name to
ApplicationNameand ensures each application is listed only once (usingdistinct).
-
Enrich Activity Logs:
- The query then takes the Microsoft Graph Activity Logs and attempts to match each log entry with the application information extracted earlier.
- This is done using a
lookupoperation, which joins the logs with the application data based on a matching application ID (AppIdin the activity logs andResourceIdentityin the sign-in logs).
-
Reorder Columns:
- Finally, it rearranges the columns to display the application ID and name prominently at the beginning of the results.
Limitation: The query only includes applications that have had user sign-ins, meaning if an application hasn't been used in the past 30 days, it won't appear in the enriched logs.
Alternative: There's a mention of an alternative query that uses the externaldata operator to overcome this limitation, which might be useful if you need to include applications without recent sign-ins.
This query is useful for gaining more context about the applications involved in the activities logged by Microsoft Graph, helping in better analysis and monitoring.
Details

Bert-Jan Pals
Released: August 14, 2025
Tables
Keywords
Operators