Query Details
Conditional Access Changes New Value And Old Value
Query
let operatorUPN = "[email protected]"; let lookback = 2d; AuditLogs | where TimeGenerated > ago(lookback) | where LoggedByService == "Core Directory" and OperationName == "Update policy" | where InitiatedBy has operatorUPN | extend initator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend policyName = tostring(TargetResources[0].displayName) | extend changes = TargetResources[0].modifiedProperties | project TimeGenerated, initator, policyName, changes | mvexpand changes | evaluate bag_unpack(changes) | where newValue <> "\"\"" | sort by TimeGenerated, initator, policyName
Explanation
This query retrieves audit logs for policy updates made by a specific user within the last 2 days. It filters the logs for operations performed by the "Core Directory" service and the "Update policy" operation. It then extracts the user's principal name, the policy name, and the modified properties. The query expands the modified properties into separate rows and unpacks the values. Finally, it filters out any empty new values and sorts the results by the time generated, initiator, and policy name.
Details
Rod Trent
Released: March 26, 2020
Tables
AuditLogsTargetResources
Keywords
Devices,Intune,User
Operators
whereagoand==hasextendtostringparse_jsonprojectmvexpandevaluatebag_unpackwheresort by