Query Details
Entra ID Tenant Restriction Failed Signin
Query
# EntraID - Tenant Restriction - Failed sign-in ## Query Information ### Description Use the below query to identify failed sign-insto Entra ID due to Tenant restriction policy #### References - [Set up tenant restrictions v2](https://learn.microsoft.com/en-us/entra/external-id/tenant-restrictions-v2#option-3-enable-tenant-restrictions-on-windows-managed-devices-preview) ### Microsoft Sentinel ```kql // Tenant restriction SigninLogs | where ResultType == "5000211" | project TimeGenerated, ResultType, ResultDescription, UserPrincipalName,ClientAppUsed, AppDisplayName, HomeTenantId, CrossTenantAccessType, IPAddress ```
Explanation
This query helps identify failed sign-ins to Entra ID due to Tenant restriction policy. It looks for sign-in logs with a ResultType of "5000211" and then displays relevant information like TimeGenerated, ResultDescription, UserPrincipalName, ClientAppUsed, AppDisplayName, HomeTenantId, CrossTenantAccessType, and IPAddress.
Details
Alex Verboon
Released: June 3, 2024
Tables
SigninLogs
Keywords
SigninLogs,ResultType,UserPrincipalName,ClientAppUsed,AppDisplayName,HomeTenantId,CrossTenantAccessType,IPAddress
Operators
whereproject