KQL Search

Query Details

HomeAI ToolsDevice Query

Entra Group Changes

Query

AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName has_any ("Add member to group" ,"Remove member from group" , "Add owner to group" )
| extend Target = tostring(TargetResources[0].userPrincipalName)
| extend TargetId = TargetResources[0].id
| extend DisplayName = tostring(TargetResources[0].userPrincipalName)
| extend Initator =iff(isempty(parse_json(tostring(InitiatedBy.user)).userPrincipalName),parse_json(tostring(InitiatedBy.app)).displayName,(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
| extend IPAddress= parse_json(tostring(InitiatedBy.user)).ipAddress
| extend GroupDisplayName = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))
| where GroupDisplayName != "All Users"
| project TimeGenerated, Initator, Target,TargetId,DisplayName, IPAddress, GroupDisplayName

Explanation

This KQL (Kusto Query Language) query is designed to analyze audit logs, specifically focusing on group membership changes within the last 90 days. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at the AuditLogs table.

  2. Time Filter: It filters the logs to include only those generated in the last 90 days.

  3. Operation Filter: It further narrows down the logs to those related to group membership changes, specifically when a member is added to a group, removed from a group, or when an owner is added to a group.

  4. Data Extraction:

    • It extracts the userPrincipalName of the target resource (the user affected by the operation) and stores it in Target and DisplayName.
    • It extracts the id of the target resource and stores it in TargetId.
    • It determines the initiator of the operation (either a user or an application) and stores it in Initiator.
    • It extracts the IP address of the user who initiated the operation and stores it in IPAddress.
    • It extracts the display name of the group that was modified and stores it in GroupDisplayName.

  5. Exclusion: It excludes any operations related to the "All Users" group.

  6. Output: Finally, it selects and displays the relevant columns: TimeGenerated, Initiator, Target, TargetId, DisplayName, IPAddress, and GroupDisplayName.

In summary, this query is used to track specific group membership changes in audit logs, excluding changes to the "All Users" group, and provides details about the operation, including who initiated it and the affected user.

Details

Jay Kerai profile picture

Jay Kerai

Released: December 2, 2025

Tables

AuditLogs

Keywords

AuditLogsUsersGroups

Operators

AuditLogs|where>ago()has_any()extendtostring()iff()isempty()parse_json()userPrincipalNameiddisplayNameipAddressmodifiedPropertiesnewValue!=project

Actions