Query Details
Function Teams Access
Query
// Save as a function in your workspace then invoke via its name, i.e if you save as TeamsAccess // TeamsAccess | where TeamName == "Secret Project" // will all events, user adds, removes and access changes for the "Secret Project" team // TeamsAccess | where Actor == "[email protected]" // will find all events, user adds, removes and changes performed by [email protected] // TeamsAccess | where TimeGenerated > ago(1d) and Activity == "User added as guest" // will find all guests being added in the last day // This function makes the data structure for the different events consistent so you can query them quickly let memberadded= OfficeActivity | where Operation == "MemberAdded" | where CommunicationType == "Team" | mv-expand Members | extend User = tostring(Members.UPN) | extend x = tostring(Members.Role) | extend Activity = case(x == "1", strcat("User added as member"), x == "2", strcat("User added as owner"), x == "3", strcat("User added as guest"), "unknown") | extend Action = "Add" | project TimeGenerated, Action, Activity, Actor=UserId, User, TeamName, TeamGuid, ActorType=UserType; let memberremoved= OfficeActivity | where Operation == "MemberRemoved" | where CommunicationType == "Team" | mv-expand Members | extend User = tostring(Members.UPN) | extend Activity = "User removed from Team" | extend ActorType = "User" | extend Action = "Remove" | project TimeGenerated, Action, Activity, Actor=UserId, User, TeamName, TeamGuid, ActorType=UserType; let memberaccesschanged= OfficeActivity | where Operation == "MemberRoleChanged" | mv-expand Members | extend User = tostring(Members.UPN) | extend x = tostring(Members.Role) | extend Activity = case(x == "1", strcat("User changed to member"), x == "2", strcat("User changed to owner"), "unknown") | extend Action = "Change" | project TimeGenerated, Action, Activity, Actor=UserId, User, TeamName, TeamGuid, ActorType=UserType; union memberadded, memberremoved, memberaccesschanged | project-reorder TimeGenerated, Action, Activity, User, Actor, ActorType, TeamName, TeamGuid
Explanation
The query is creating three separate data structures for different events related to team access in Microsoft Teams.
The first structure, "memberadded," captures events where a user is added to a team as a member, owner, or guest. It includes information such as the time the event occurred, the action (add), the activity (user added as member, owner, or guest), the actor (user who performed the action), the user who was added, the team name and ID, and the actor type (user type).
The second structure, "memberremoved," captures events where a user is removed from a team. It includes similar information as the "memberadded" structure, but with the action set to "remove" and the activity set to "user removed from team."
The third structure, "memberaccesschanged," captures events where a user's role in a team is changed. It includes similar information as the other structures, but with the activity reflecting the role change (user changed to member or owner).
Finally, the query combines all three structures using the "union" operator and reorders the columns to display the information in a consistent manner.
Details
Matt Zorich
Released: May 27, 2022
Tables
Keywords
Operators