Query Details
Audit Allowed Blocked Domain List Changes
Query
//Detect when a domain is added or removed to either the allow or block list in Azure AD external identities //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where OperationName == "Update policy" | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | mv-expand TargetResources | extend modifiedProperties = parse_json(TargetResources).modifiedProperties | mv-expand modifiedProperties | extend newValue = parse_json(modifiedProperties).newValue | mv-expand todynamic(newValue) | where newValue has "InvitationsAllowedAndBlockedDomainsPolicy" | project TimeGenerated, OperationName, Actor, ['New Domain Policy']=newValue
Explanation
This query detects when a domain is added or removed from the allow or block list in Azure AD external identities. It uses the Azure Active Directory - Audit Logs data connector. The query filters for "Update policy" operations, expands the TargetResources field, and extracts the modifiedProperties field. It then expands the modifiedProperties field and extracts the newValue field. The query filters for newValue values that contain "InvitationsAllowedAndBlockedDomainsPolicy" and projects the TimeGenerated, OperationName, Actor, and New Domain Policy columns.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Devices,Intune,User,AzureAD,AuditLogs
Operators
whereextendmv-expandparse_jsontostringproject