Query Details
Audit Users Addedto Dynamic Groups
Query
//Summarize all groups that have had users added to them via dynamic rules //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where TimeGenerated > ago(1d) | where OperationName == "Add member to group" | where Identity == "Microsoft Approval Management" | where TargetResources[0].type == "User" | extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))) | extend User = tostring(TargetResources[0].userPrincipalName) | summarize ['Count of Users Added']=dcount(User), ['List of Users Added']=make_set(User) by GroupName | sort by GroupName asc
Explanation
This query summarizes all groups that have had users added to them via dynamic rules in the Azure Active Directory Audit Logs. It filters the logs for the past 1 day and looks for the "Add member to group" operation performed by "Microsoft Approval Management". It then extracts the group name and user principal name of the added user. Finally, it calculates the count of users added and creates a list of the added users for each group, sorted by group name.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Groups,Users,DynamicRules
Operators
whereago========extendextendsummarizedcountmake_setbysort