KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 01 M365 Teams Guest Invitation History 90d

Query

// Hunt    : M365 - Teams Guest Invitation History (90d)
// Purpose : Map all guest invitations across Teams over 90 days to identify
//           patterns: who invited guests, from what domains, into which teams.
//           Supports investigation of insider threat, BEC, and shadow IT.
// Tables  : OfficeActivity
// Period  : P90D
//==========================================================================================

let LookbackDays = 90d;

OfficeActivity
| where TimeGenerated > ago(LookbackDays)
| where RecordType == "MicrosoftTeams"
| where Operation in ("MemberAdded", "InviteAccepted", "GuestAccessEnabled")
| extend MemberUPN = tostring(Members[0].UPN)
| where MemberUPN has "#EXT#"
| extend
    GuestDomain    = tostring(extract(@"#EXT#@(.+)", 1, MemberUPN)),
    InviterDomain  = tostring(split(UserId, "@")[1])
| summarize
    InviteCount    = count(),
    InvitedGuests  = make_set(MemberUPN, 30),
    Teams          = make_set(TeamName, 20),
    ClientIPs      = make_set(ClientIP, 10),
    FirstInvite    = min(TimeGenerated),
    LastInvite     = max(TimeGenerated)
    by UserId, GuestDomain, InviterDomain
| extend IsExternalInviter = InviterDomain != GuestDomain
| sort by InviteCount desc
| project
    UserId,
    GuestDomain,
    InviteCount,
    Teams,
    InvitedGuests,
    IsExternalInviter,
    FirstInvite,
    LastInvite

Explanation

This query is designed to analyze guest invitations in Microsoft Teams over the past 90 days. It aims to identify patterns related to who is inviting guests, from which domains, and into which Teams. This information can be useful for investigating potential insider threats, business email compromise (BEC), and unauthorized IT activities (shadow IT). Here's a simplified breakdown of what the query does:

  1. Time Frame: It looks at data from the last 90 days.

  2. Data Source: The query uses the OfficeActivity table, focusing on Microsoft Teams activities.

  3. Filter Criteria: It filters records to include only those related to adding members, accepting invitations, or enabling guest access in Teams.

  4. Guest Identification: It identifies guest users by checking if their User Principal Name (UPN) contains "#EXT#", which indicates an external user.

  5. Domain Extraction: It extracts the domain of the guest and the inviter from their email addresses.

  6. Data Aggregation: For each inviter, it summarizes:

    • The total number of invitations sent (InviteCount).
    • A list of unique guests invited (InvitedGuests).
    • A list of Teams where guests were invited (Teams).
    • A list of client IPs used for the invitations (ClientIPs).
    • The first and last invitation timestamps.

  7. External Inviter Check: It checks if the inviter's domain is different from the guest's domain to identify external inviters.

  8. Sorting and Presentation: The results are sorted by the number of invitations sent, and only relevant fields are displayed.

In summary, this query helps organizations monitor and analyze guest invitation activities in Microsoft Teams to detect unusual patterns or potential security risks.

Details

David Alonso profile picture

David Alonso

Released: March 18, 2026

Tables

OfficeActivity

Keywords

OfficeActivityMicrosoftTeamsMemberAddedInviteAcceptedGuestAccessEnabledMemberUPNGuestDomainInviterDomainUserIdTeamNameClientIPTimeGenerated

Operators

letagoinextendtostringextractsplitsummarizecountmake_setminmaxbysortdescproject

Actions