List the external admin activities
External Admin Activities
Query
CloudAppEvents
| where IsExternalUser == 1 and AccountType == "Admin"
| summarize
TotalActivities = count(),
ActionsPerformed = make_set(ActionType),
Applications = make_set(Application),
IPsUsed = make_set(IPAddress)
by AccountId
| sort by TotalActivitiesAbout this query
List the external admin activities
Query Information
Description
This query lists all the external admin activities in your tenant sorted from the account with the most actions performed to the one with the least actions.
Risk
External admins can yield a bigger risk to your organisation as they are not internal users.
Defender XDR
Sentinel
CloudAppEvents
| where IsExternalUser == 1 and AccountType == "Admin"
| summarize
TotalActivities = count(),
ActionsPerformed = make_set(ActionType),
Applications = make_set(Application),
IPsUsed = make_set(IPAddress)
by AccountId
| sort by TotalActivities
Explanation
This query is designed to identify and list activities performed by external administrators in your organization's cloud environment. Here's a simple breakdown of what it does:
-
Filter for External Admins: It looks for events where the user is an external person (not part of your organization) and has administrative privileges.
-
Summarize Activities: For each external admin, it counts the total number of activities they have performed. It also compiles a list of different types of actions they have taken, the applications they have used, and the IP addresses from which they have accessed the system.
-
Sort by Activity Level: Finally, it sorts these external admins by the number of activities they have performed, starting with the most active.
The purpose of this query is to help you monitor and assess the risk posed by external administrators, as they can potentially be a higher security risk compared to internal users.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators