Azure DevOps - Organization Policy - External Guest Access
Azure Dev Ops External Guest Access
Query
AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "OFF"
| where PolicyName == "Policy.DisallowAadGuestUserAccess"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayNameAbout this query
Azure DevOps - Organization Policy - External Guest Access
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1098 | Account Manipulation | https://attack.mitre.org/techniques/T1098/ |
| T1562 | Impair Defenses | https://attack.mitre.org/techniques/T1562/ |
Description
Block external guest access: Disable the "Allow invitations to be sent to any domain" policy to prevent external guest access if there's no business need for it.
Use the below query to identify when External Guest Access is enabled in Azure DevOps
References
Microsoft Sentinel
Explanation
This KQL query is designed to monitor Azure DevOps for changes related to external guest access policies. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
AzureDevOpsAuditingtable, which logs various activities and changes within Azure DevOps. -
Filter Operation: The query looks specifically for operations where the policy value has been updated, indicated by the
OperationNamebeing "OrganizationPolicy.PolicyValueUpdated". -
Extract Policy Details: It extracts the
PolicyNameandPolicyValuefrom the data, ensuring they are in string format. -
Identify Policy Change: The query filters for instances where the policy value is set to "OFF" for the policy named "Policy.DisallowAadGuestUserAccess". This indicates that external guest access has been enabled, which might be against security best practices if there's no business need.
-
Output Information: It projects (displays) specific details about these changes, including:
TimeGenerated: When the change occurred.ActorUPN: The user principal name of the person who made the change.IpAddress: The IP address from which the change was made.PolicyName: The name of the policy that was changed.PolicyValue: The new value of the policy.ScopeDisplayName: The scope or context within which the policy change occurred.
In essence, this query helps identify when and by whom the external guest access policy in Azure DevOps was turned off, potentially allowing external users access to the organization, which could be a security risk if not justified.
