Query Details
Identity Summarize Guest Tenant Activity
Query
//Summarize the domain names, the count of users and list of users for each guest tenant connecting to your Azure AD tenant
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago (30d)
| project
TimeGenerated,
UserPrincipalName,
HomeTenantId,
AADTenantId,
Id,
ResourceTenantId,
ResourceIdentity,
UserId,
AppDisplayName
| where UserId != "00000000-0000-0000-0000-000000000000"
| where ResourceIdentity != ''
| where HomeTenantId != ''
| where HomeTenantId != AADTenantId
| extend GuestDomain = split(UserPrincipalName, '@')[-1]
| summarize
['Guest Domain Names']=make_set(GuestDomain),
['Distinct User Count']=dcount(UserPrincipalName),
['List of Guest Users']=make_set(UserPrincipalName)
by HomeTenantId, AppDisplayName
| sort by ['Distinct User Count'] desc
Explanation
This query retrieves information about guest tenants connecting to your Azure AD tenant. It summarizes the domain names, the count of users, and provides a list of users for each guest tenant. The query uses the Azure Active Directory - Signin Logs data connector and filters the data for the past 30 days. It selects specific columns such as TimeGenerated, UserPrincipalName, HomeTenantId, AADTenantId, Id, ResourceTenantId, ResourceIdentity, UserId, and AppDisplayName. It applies several filters to exclude irrelevant data. It then extends the GuestDomain column by splitting the UserPrincipalName and extracting the domain name. Finally, it summarizes the data by HomeTenantId and AppDisplayName, and sorts the results by the distinct user count in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators