Query Details
Identity Service Principal Signinsby IP
Query
//Make a set of IP addresses that your Azure AD service principals have signed in from //Data connector required for this query - Azure Active Directory - Service Principal Signin Logs AADServicePrincipalSignInLogs | where TimeGenerated > ago(90d) | where ResultType == "0" | summarize ['List of IP Addresses']=make_set(IPAddress), ['Count of Unique IP Addresses']=dcount(IPAddress) by ServicePrincipalName, AppId | sort by ['Count of Unique IP Addresses'] desc
Explanation
This query retrieves a list of IP addresses from which Azure AD service principals have signed in. It filters the data for the past 90 days and only includes successful sign-ins. The result is summarized by service principal name and application ID, showing the list of IP addresses used and the count of unique IP addresses for each service principal. The results are sorted in descending order based on the count of unique IP addresses.
Details
Matt Zorich
Released: June 17, 2022
Tables
AADServicePrincipalSignInLogs
Keywords
AADServicePrincipalSignInLogs,TimeGenerated,ResultType,IPAddress,ServicePrincipalName,AppId
Operators
whereago==summarizemake_setdcountbysort