Audit Logs Entra ID B2C Settings Modified
Query
AuditLogs
| where LoggedByService == "B2C" and OperationName has_any ("B2C", "CIAM", "Guest Usages") and OperationName has_any ("Create", "Update", "Delete")
| extend
Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| project
TimeGenerated,
LoggedByService,
Category,
AADOperationType,
Initiator,
IPAddress,
OperationName,
Result,
ResultDescription,
AdditionalDetails,
InitiatorId,
InitiatedBy,
TargetResources,
CorrelationIdExplanation
This KQL (Kusto Query Language) query is designed to filter and display specific audit log entries related to operations performed by the B2C service. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at the
AuditLogstable. -
Filtering Criteria:
- It selects logs where the
LoggedByServiceis "B2C". - It further filters these logs to include only those operations whose
OperationNamecontains any of the terms "B2C", "CIAM", or "Guest Usages". - Additionally, it ensures that the
OperationNamealso includes any of the actions "Create", "Update", or "Delete".
- It selects logs where the
-
Data Transformation:
- It extracts and creates new fields:
Initiator: Determines who initiated the operation, either an app's display name or a user's principal name.InitiatorId: Retrieves the ID of the initiator, either a service principal ID for apps or a user ID.IPAddress: Extracts the IP address from which the operation was initiated.
- It extracts and creates new fields:
-
Data Projection:
- It selects and displays a set of columns from the filtered and transformed data:
TimeGenerated: The timestamp of when the log entry was created.LoggedByService: The service that logged the entry.Category,AADOperationType: Additional classification details of the operation.Initiator,IPAddress: The initiator's name and IP address.OperationName: The name of the operation performed.Result,ResultDescription: The outcome of the operation and a description of the result.AdditionalDetails: Any extra information related to the operation.InitiatorId,InitiatedBy: IDs and details of the initiator.TargetResources: The resources targeted by the operation.CorrelationId: A unique identifier for correlating related log entries.
- It selects and displays a set of columns from the filtered and transformed data:
In summary, this query is used to extract and display detailed information about specific B2C-related operations (create, update, delete) from audit logs, including who initiated them and from where.
Details

Jose Sebastián Canós
Released: June 23, 2025
Tables
AuditLogs
Keywords
AuditLogsB2CCIAMGuestUsagesCreateUpdateDeleteInitiatorInitiatorIdIPAddressTimeGeneratedLoggedByServiceCategoryAADOperationTypeOperationNameResultResultDescriptionAdditionalDetailsTargetResourcesCorrelationId
Operators
wherehas_anyextendiifisnotemptytostringbag_keysproject