Query Details
Identity Guests Invitedbutnot Redeemed
Query
//Lists guests who have been invited but not yet redeemed their invites.
//Data connector required for this query - Azure Active Directory - Audit Logs
//Excludes newly invited guests (last 30 days).
let timerange=365d;
let timeframe=30d;
AuditLogs
| where TimeGenerated between (ago(timerange) .. ago(timeframe))
| where OperationName == "Invite external user"
| extend GuestUPN = tolower(tostring(TargetResources[0].userPrincipalName))
| project TimeGenerated, GuestUPN
| join kind=leftanti (
AuditLogs
| where TimeGenerated > ago (timerange)
| where OperationName == "Redeem external user invite"
| where CorrelationId <> "00000000-0000-0000-0000-000000000000"
| extend d = tolower(tostring(TargetResources[0].displayName))
| parse d with * "upn: " GuestUPN "," *
| project TimeGenerated, GuestUPN)
on GuestUPN
| distinct GuestUPNExplanation
This query is looking for guests who have been invited but have not yet redeemed their invites. It uses the Azure Active Directory - Audit Logs data connector. It excludes newly invited guests from the last 30 days. The query retrieves the time generated and guest's user principal name. It then joins this data with another query that looks for guests who have redeemed their invites. The final result is a distinct list of guest user principal names who have been invited but not yet redeemed their invites.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
GuestUPN,TimeGenerated,AuditLogs,TargetResources,OperationName,CorrelationId,displayName
Operators
whereletextendprojectjoinkind=leftantiparsewithdistinct