KQL Search

Query Details

HomeAI ToolsDevice Query

Audit B2B Guest Devices Trust Type

Query

//Shouthout johannesblog.com for the idea
SigninLogs
//| where AppDisplayName =~ "Microsoft Teams"
| extend TrustType = tostring(DeviceDetail.trustType)
| where CrossTenantAccessType == @"b2bCollaboration"
| where AADTenantId != HomeTenantId //exclude B2b outbound
| where UserType == "Guest"
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, TrustType,
          DeviceId = tostring(DeviceDetail.deviceId),
          DeviceName = tostring(DeviceDetail.displayName),
          OperatingSystem = tostring(DeviceDetail.operatingSystem),
          Browser = tostring(DeviceDetail.browser),
          ConditionalAccessStatus, ResultType, ResultDescription
| order by TimeGenerated desc

Explanation

This KQL (Kusto Query Language) query is designed to analyze sign-in logs, specifically focusing on guest users accessing resources through cross-tenant collaboration. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by querying the SigninLogs table, which contains records of user sign-ins.

  2. Extend TrustType: It creates a new column called TrustType by converting the trustType field from the DeviceDetail object into a string.

  3. Filter for Cross-Tenant Collaboration: It filters the logs to include only those sign-ins that are part of "b2bCollaboration" (business-to-business collaboration).

  4. Exclude B2B Outbound: It excludes records where the AADTenantId (Azure Active Directory Tenant ID) is the same as the HomeTenantId, focusing on inbound guest access rather than outbound.

  5. Filter for Guest Users: It further filters the logs to include only those sign-ins where the UserType is "Guest".

  6. Select Specific Columns: It selects specific columns to display in the results, including:

    • TimeGenerated: The timestamp of the sign-in event.
    • UserPrincipalName: The user's principal name (often their email).
    • AppDisplayName: The name of the application accessed.
    • IPAddress: The IP address from which the sign-in occurred.
    • TrustType: The trust type of the device.
    • DeviceId: The ID of the device used for sign-in.
    • DeviceName: The name of the device.
    • OperatingSystem: The operating system of the device.
    • Browser: The browser used for sign-in.
    • ConditionalAccessStatus: The status of any conditional access policies applied.
    • ResultType: The result type of the sign-in attempt.
    • ResultDescription: A description of the sign-in result.

  7. Order by Time: Finally, it orders the results by the TimeGenerated column in descending order, showing the most recent sign-ins first.

Overall, this query is useful for monitoring and analyzing guest user sign-ins from other tenants, focusing on cross-tenant collaboration scenarios.

Details

Jay Kerai profile picture

Jay Kerai

Released: May 1, 2026

Tables

SigninLogs

Keywords

SigninLogsDeviceUserAppDisplayNameIPAddressTrustTypeDeviceIdDeviceNameOperatingSystemBrowserConditionalAccessStatusResultTypeResultDescription

Operators

extendtostringwhere!====~projectorder bydesc

Actions