Query Details
Entra Auditing Tenant Restrictions V2 Events
Query
//This query looks for when a user tries to sign-in into a tenant that is not approved by a Tenant's Tenant Restriction Policy. There will be a log in Tenant A and Tenant B.
// The Log in Tenant A (where the user was restricted in) will log in Entra as {PII removed - Tenant Restrictions}, in the target tenant the name will not be redacted (because the user involved is a member of that tenant)
//Hence we can use the {PII Removed} filter to differentiate the directionality of the block.
//Note for tenant restrictions to take place a policy must be pushed to the device either via GPO, MDM or GSA.
// Post: https://www.linkedin.com/posts/jay-kerai-cyber_entra-mdm-b2b-activity-7359901262860984321-U45y
SigninLogs
| where ResultType <> "0"
//| where Identity == "{PII removed - Tenant Restrictions}" // You won't see the target account in the logs if to another org
//If its another org hitting your org then you will see the UPN. So you can use the PII filter to exclude when its your users hitting outbound vs another org's tenant restriction policy
| where Status.errorCode == 5000211 //Both Tenants get the same Error code!!!!
//The error the user sees: A tenant restrictions policy added to this request by a device or network administrator does not allow access to '{tenant}'.
// Use HomeTenantId and something like AADInternals to Assert which tenant was being signed into.
//Also note you get some error code for personal microsoft accounts (MSA), theres no way to differentiate from the logs because An MSA's basically live its own tenant
//To find out which user intiated it you can try looking for the "https://login.microsoftonline.com/common/federation/oauth2msa" URL but this only works for Personal Microsoft accounts
Explanation
This query is designed to identify instances where a user attempts to sign in to a tenant that is not permitted by the tenant's restriction policy. Here's a simplified breakdown of what the query does:
-
Source of Logs: The query examines sign-in logs to detect these events.
-
Filtering Results:
- It filters out successful sign-ins by excluding logs where the
ResultTypeis "0", which indicates success. - It specifically looks for sign-in attempts that resulted in an error with the code
5000211. This error code signifies that a tenant restriction policy has blocked the sign-in attempt.
- It filters out successful sign-ins by excluding logs where the
-
Directionality of the Block:
- The query uses a filter to differentiate whether the block occurred when a user from the organization tried to access an external tenant or when an external user tried to access the organization. This is done by checking if the user's identity is redacted (indicated by "{PII removed - Tenant Restrictions}").
-
Understanding the Error:
- The error message associated with this code indicates that a tenant restriction policy, set by a device or network administrator, is preventing access to the specified tenant.
-
Additional Considerations:
- For tenant restrictions to be enforced, a policy must be applied to the device through methods like Group Policy Object (GPO), Mobile Device Management (MDM), or Google Secure Access (GSA).
- The query notes that the same error code can appear for personal Microsoft accounts, making it challenging to differentiate these cases from organizational accounts based solely on logs.
-
Identifying the User:
- To identify which user initiated the blocked sign-in attempt, especially for personal Microsoft accounts, you can look for specific URLs in the logs, such as "https://login.microsoftonline.com/common/federation/oauth2msa".
Overall, this query helps administrators monitor and troubleshoot tenant restriction policy violations by identifying blocked sign-in attempts and understanding their context.
Details
Jay Kerai
Released: August 15, 2025
Tables
SigninLogs
Keywords
SigninLogsDevicesIntuneUserTenantPolicyAdministratorNetworkMicrosoftAccounts
Operators
SigninLogs|where<>==