Query Details
Audit Logs Cross Tenant Settings Modified
Query
AuditLogs
| where Category in ("CrossTenantAccessSettings", "CrossTenantIdentitySyncSettings", "MultiTenantOrgTenant", "MultiTenantOrgIdentitySyncPolicyTemplate", "MultiTenantOrgPartnerConfigurationTemplate")
or OperationName has_any ("cross-tenant", "MultiTenantOrg", "multi tenant org")
| extend
Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| mv-expand TargetResource = iff(array_length(TargetResources) == 0, dynamic([""]), TargetResources)
| mv-apply modifiedProperty = TargetResource["modifiedProperties"] on (
summarize NewValues = make_bag(
bag_pack(tostring(modifiedProperty["displayName"]), trim(@'[\"\s]+', tostring(modifiedProperty["newValue"]))))
)
| extend
PartnerIdentifier = tostring(NewValues["PartnerIdentifier"]),
PartnerPolicyType = tostring(NewValues["PartnerPolicyType"]),
PartnerPolicyDetail = tostring(NewValues["PartnerPolicyDetail"]),
PartnerPolicyDetailVersion = tostring(NewValues["PartnerPolicyDetailVersion"]),
MultiTenantOrgAddedByTenantId = tostring(NewValues["MultiTenantOrgAddedByTenantId"])
| project
TimeGenerated,
LoggedByService,
Category,
AADOperationType,
Initiator,
IPAddress,
OperationName,
Result,
ResultDescription,
PartnerIdentifier,
PartnerPolicyType,
PartnerPolicyDetail,
PartnerPolicyDetailVersion,
MultiTenantOrgAddedByTenantId,
NewValues,
AdditionalDetails,
Identity,
InitiatorId,
InitiatedBy,
TargetResources,
CorrelationId
Explanation
This query is designed to analyze audit logs related to cross-tenant and multi-tenant operations. Here's a simplified breakdown of what it does:
-
Filter Logs: It starts by filtering audit logs to include only those related to specific categories or operations involving cross-tenant access and multi-tenant organizations.
-
Extract Initiator Information: It determines who initiated the operation, whether it's an application or a user, and captures their display name or user principal name, along with their ID.
-
Capture IP Address: The IP address of the initiator is extracted for further analysis.
-
Expand Target Resources: If there are any target resources involved in the operation, it expands them for detailed examination.
-
Summarize Modified Properties: For each target resource, it summarizes any modified properties into a structured format, capturing new values for specific attributes like PartnerIdentifier and policy details.
-
Extend with Additional Information: It adds more details about the partner and multi-tenant organization, such as policy types and identifiers.
-
Project Relevant Fields: Finally, it selects and organizes specific fields to be displayed in the output, including time of the event, service logging the event, operation details, results, and additional contextual information.
Overall, this query is used to monitor and analyze changes and activities related to cross-tenant and multi-tenant configurations, providing insights into who made changes, what changes were made, and other relevant details.
Details
Jose Sebastián Canós
Released: April 23, 2025
Tables
Keywords
Operators