Azure AD Access Reviews

# Entra ID - Access Review Activities ## Query Information ### Description Use the below queries to retrieve Entra ID Access Review activities #### References - [What are access reviews?](https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview) ### Microsoft Sentinel Deny decisions ```kql AuditLogs | where Category == "Policy" | where OperationName == "Deny decision" | extend AccessReview = tostring(TargetResources[0].displayName) | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend TargetUser = tostring(TargetResources[2].userPrincipalName) ``` Approval decisions ```kql AuditLogs | where Category == "Policy" | where OperationName == "Approve decision" | extend AccessReview = tostring(TargetResources[0].displayName) | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend TargetUser = tostring(TargetResources[2].userPrincipalName) ``` Bulk approval ```kql AuditLogs | where Category == "Policy" | where OperationName == "Bulk Approve decisions" | extend AccessReview = tostring(TargetResources[0].displayName) | extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) ``` Delete Access Review ```kql AuditLogs | where Category == "Policy" | where OperationName == "Delete access review" | extend AccessReviewName = tostring(TargetResources[0].displayName) | extend IPAddress = tostring(AdditionalDetails[3].value) | project TimeGenerated, AccessReviewName, OperationName, IPAddress ``` Create Access Review ```kql AuditLogs | where Category == "Policy" | where OperationName == "Create access review" | extend AccessReviewName = tostring(TargetResources[1].displayName) | extend IPAddress = tostring(AdditionalDetails[3].value) | project TimeGenerated, AccessReviewName, OperationName, IPAddress ```

Explanation

The query retrieves Entra ID Access Review activities from the AuditLogs in Microsoft Sentinel. It includes queries for deny decisions, approval decisions, bulk approval, delete access review, and create access review. The queries filter the logs based on the category and operation name, and extract relevant information such as access review name, initiated by user, target user, and IP address.

Details

Alex Verboon

Released: November 2, 2023

Tables

AuditLogs

Keywords

Devices,Intune,User

Operators

whereCategory=="Policy"OperationName=="Deny decision"extendAccessReview=tostring(TargetResources[0].displayName)extendInitiatedBy=tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)extendTargetUser=tostring(TargetResources[2].userPrincipalName)whereCategory=="Policy"OperationName=="Approve decision"extendAccessReview=tostring(TargetResources[0].displayName)extendInitiatedBy=tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)extendTargetUser=tostring(TargetResources[2].userPrincipalName)whereCategory=="Policy"OperationName=="Bulk Approve decisions"extendAccessReview=tostring(TargetResources[0].displayName)extendInitiatedBy=tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)whereCategory=="Policy"OperationName=="Delete access review"extendAccessReviewName=tostring(TargetResources[0].displayName)extendIPAddress=tostring(AdditionalDetails[3].value)projectTimeGeneratedAccessReviewNameOperationNameIPAddresswhereCategory=="Policy"OperationName=="Create access review"extendAccessReviewName=tostring(TargetResources[1].displayName)extendIPAddress=tostring(AdditionalDetails[3].value)projectTimeGeneratedAccessReviewNameOperationNameIPAddress.

KQL Search