KQL Search

Query Details

HomeAI ToolsDevice Query

Group Membership Report

Query

# Group Membership Report

## Query Information

#### Description
This query can be used to draw an report of the Entra ID group memberships of all users.

Note: if a users has more than 1000 memberships remove the 1000 limitation in the make_set to display all groupnames.

## Defender XDR
```KQL
let TimeFrame = 30d;
IdentityInfo
| where Timestamp > ago(TimeFrame)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand GroupMembership
| where isnotempty(GroupMembership)
| summarize TotalMemberships = dcount(tostring(GroupMembership)), MemberOf = make_set(tostring(GroupMembership), 1000) by AccountObjectId, AccountDisplayName, AccountUPN
| extend ReportDate = now()
```
## Sentinel
```KQL
let TimeFrame = 30d;
IdentityInfo
| where TimeGenerated > ago(TimeFrame)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand GroupMembership
| where isnotempty(GroupMembership)
| summarize TotalMemberships = dcount(tostring(GroupMembership)), MemberOf = make_set(tostring(GroupMembership), 1000) by AccountObjectId, AccountDisplayName, AccountUPN
| extend ReportDate = now()
```

Explanation

This query generates a report of group memberships for all users in Entra ID (formerly Azure AD) over the past 30 days. Here's a simplified breakdown of what the query does:

  1. Set Time Frame: It looks at data from the last 30 days.
  2. Filter Data: It retrieves identity information and filters it to only include records within the specified time frame.
  3. Get Latest Record: For each user, it keeps only the most recent record.
  4. Expand Group Memberships: It breaks down the group memberships so each membership is a separate record.
  5. Filter Non-Empty Memberships: It removes any records where the group membership information is empty.
  6. Summarize Memberships: For each user, it counts the total number of unique group memberships and lists up to 1000 group names.
  7. Add Report Date: It adds the current date to the report for reference.

The result is a report that shows each user's total group memberships and a list of the groups they belong to, along with the date the report was generated.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 25, 2024

Tables

IdentityInfo

Keywords

UsersEntraIDGroupMemberships

Operators

letwhereagosummarizearg_maxbymv-expandisnotemptydcounttostringmake_setextendnow

Actions