Query Details
Identity Summarize Guest Conditional Access
Query
//Summarize which conditional access policies your inbound guests have logged any successes or failures against.
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago (90d)
| where UserType == "Guest"
| where AADTenantId != HomeTenantId and HomeTenantId != ResourceTenantId
| project ConditionalAccessPolicies, UserPrincipalName, HomeTenantId
| project-rename GuestTenantId=HomeTenantId
| mv-expand ConditionalAccessPolicies
| extend CAResult = tostring(ConditionalAccessPolicies.result)
| extend CAName = tostring(ConditionalAccessPolicies.displayName)
| where CAResult has_any ("success", "failure")
| extend ['Conditional Access Result']=strcat(CAName, " || ", CAResult)
| summarize
['Conditional Access Outcomes']=make_set(['Conditional Access Result'])
by
GuestTenantId
| order by GuestTenantId ascExplanation
This query summarizes the conditional access policies that inbound guests have had successes or failures against. It uses the Azure Active Directory - Signin Logs data connector. The query filters the logs for the past 90 days and selects only guest users. It then projects the conditional access policies, user principal name, and home tenant ID. The home tenant ID is renamed as GuestTenantId. The query expands the conditional access policies, converts the result to a string, and adds a display name. It filters for results that have either "success" or "failure" as the result. It then combines the display name and result into a single column. The query summarizes the conditional access outcomes by guest tenant ID and orders the results in ascending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators