Entra Cross Tenant Activity Monitoring
Query
// Entra Cross-Tenant Activity Monitoring
// The AADSpnSignInEventsBeta table is currently in beta and available for a limited time, enabling you to explore Microsoft Entra sign-in events. To collect and view activities in this table, a Microsoft Entra ID P2 license is required. This table, part of the advanced hunting schema, contains details about sign-ins by Microsoft Entra service principals and managed identities. Below is a custom KQL detection for DefenderXDR to monitor cross-tenant activity, which can help detect potential OAUTH app compromises. (E.g Midnight Blizzard Case)
// Entra Cross-Tenant Activity (Potential App Compromise)
// Please set your Entra Home Tenant ID
let EntraHomeTenantID = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
AADSpnSignInEventsBeta
| where Timestamp > ago (1h)
| where ResourceTenantId != EntraHomeTenantID
| project Timestamp, ReportId, Application, ApplicationId, ServicePrincipalName, ServicePrincipalId, ResourceTenantId, IPAddress, Country
// After you obtained the target tenant ID
// Use Microsoft Graph to gather more info on the tenant ID
// https://learn.microsoft.com/en-us/graph/api/tenantrelationship-findtenantinformationbytenantid?view=graph-rest-1.0&tabs=httpExplanation
This query is designed to monitor cross-tenant activity in Microsoft Entra, specifically looking for potential compromises of OAUTH applications. Here’s a simplified breakdown:
-
Purpose: The query aims to detect suspicious sign-in events by service principals and managed identities across different tenants, which could indicate a compromised application.
-
Data Source: It uses the
AADSpnSignInEventsBetatable, which is in beta and requires a Microsoft Entra ID P2 license. -
Filter Criteria:
- It looks at sign-in events from the past hour (
Timestamp > ago(1h)). - It filters out events from the home tenant by comparing the
ResourceTenantIdwith the specified home tenant ID (ResourceTenantId != EntraHomeTenantID).
- It looks at sign-in events from the past hour (
-
Output: The query projects (selects) specific columns to display:
Timestamp,ReportId,Application,ApplicationId,ServicePrincipalName,ServicePrincipalId,ResourceTenantId,IPAddress, andCountry. -
Next Steps: After identifying the target tenant ID from the results, you can use Microsoft Graph API to gather more information about the tenant.
In essence, this query helps in identifying and investigating unusual cross-tenant sign-in activities that could signify a security threat.
Details

Steven Lim
Released: September 28, 2024
Tables
Keywords
Operators