KQL Search

Query Details

HomeAI ToolsDevice Query

Entra ID Group Membershipchanges Dynamic

Query

# EntraID - Group Membership changes - Dynamic Group memberships

## Query Information

### Description

Use the below queires to find Entra ID group membership changes initiated for Dynamic Groups.

#### References

- [Dynamic membership rules for groups in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership)

### Microsoft Sentinel

Group Membership changes from the Entra ID Auditlog log

```kql
AuditLogs 
| where OperationName == "Add member to group"
| where Category == "GroupManagement"
| where parse_json(tostring(InitiatedBy.app)).displayName == "Microsoft Approval Management"
| extend DeviceName = tostring(TargetResources[0].displayName)
| extend GroupObjectId = tostring(TargetResources[1].id)
| project TimeGenerated, OperationName, DeviceName, GroupObjectId
```

```kql
AuditLogs 
| where OperationName == "Remove member from group"
| where Category == "GroupManagement"
| where parse_json(tostring(InitiatedBy.app)).displayName == "Microsoft Approval Management"
| extend DeviceName = tostring(TargetResources[0].displayName)
| extend GroupObjectId = tostring(TargetResources[1].id)
| project TimeGenerated, OperationName, DeviceName, GroupObjectId
```

Group Membership changes from Defender for Cloud Apps log

```kql
CloudAppEvents
| where AccountDisplayName == "Microsoft Approval Management"
| where ActionType == "Remove member from group."
| extend GroupName = tostring(ActivityObjects[0].Name)
| extend DeviceName = tostring(ActivityObjects[1].Name)
| project TimeGenerated, ActionType, GroupName, DeviceName
```

```kql
CloudAppEvents
| where AccountDisplayName == "Microsoft Approval Management"
| where ActionType == "Add member to group."
| extend GroupName = tostring(ActivityObjects[0].Name)
| extend DeviceName = tostring(ActivityObjects[1].Name)
| project TimeGenerated, ActionType, GroupName, DeviceName
```

Explanation

This query is used to track changes in group membership for Entra ID Dynamic Groups. It looks for additions and removals of members from groups initiated by "Microsoft Approval Management" in both Entra ID Audit Logs and Defender for Cloud Apps logs. The query extracts information such as the time of the change, the operation name, the device name, and the group object ID or name.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 26, 2024

Tables

AuditLogsCloudAppEvents

Keywords

EntraID,Group,Membership,Dynamic,Groups,Devices,Intune,User

Operators

where|==&&parse_jsontostringextendproject

Actions