Query Details

Azure DevOps - Organization Policy - External Guest Access

Azure Dev Ops External Guest Access

Query

AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "OFF"
| where PolicyName == "Policy.DisallowAadGuestUserAccess"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName

About this query

Azure DevOps - Organization Policy - External Guest Access

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1098Account Manipulationhttps://attack.mitre.org/techniques/T1098/
T1562Impair Defenseshttps://attack.mitre.org/techniques/T1562/

Description

Block external guest access: Disable the "Allow invitations to be sent to any domain" policy to prevent external guest access if there's no business need for it.

Use the below query to identify when External Guest Access is enabled in Azure DevOps

References

Microsoft Sentinel

Explanation

This KQL query is designed to monitor Azure DevOps for changes related to external guest access policies. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the AzureDevOpsAuditing table, which logs various activities and changes within Azure DevOps.

  2. Filter Operation: The query looks specifically for operations where the policy value has been updated, indicated by the OperationName being "OrganizationPolicy.PolicyValueUpdated".

  3. Extract Policy Details: It extracts the PolicyName and PolicyValue from the data, ensuring they are in string format.

  4. Identify Policy Change: The query filters for instances where the policy value is set to "OFF" for the policy named "Policy.DisallowAadGuestUserAccess". This indicates that external guest access has been enabled, which might be against security best practices if there's no business need.

  5. Output Information: It projects (displays) specific details about these changes, including:

    • TimeGenerated: When the change occurred.
    • ActorUPN: The user principal name of the person who made the change.
    • IpAddress: The IP address from which the change was made.
    • PolicyName: The name of the policy that was changed.
    • PolicyValue: The new value of the policy.
    • ScopeDisplayName: The scope or context within which the policy change occurred.

In essence, this query helps identify when and by whom the external guest access policy in Azure DevOps was turned off, potentially allowing external users access to the organization, which could be a security risk if not justified.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicyExternalGuestAccess

Operators

AzureDevOpsAuditingwhere==extendtostringproject

MITRE Techniques

Actions

GitHub