Query Details
Identity Summarize Outbound Guest Activity
Query
//Summarize outbound (your users connecting to other tenants) activity by listing the users and which applications they are accessing in each remote tenant
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago(30d)
| where UserType == "Guest"
| where AADTenantId == HomeTenantId
| where ResourceTenantId != AADTenantId
| summarize
['Count of Applications']=dcount(AppDisplayName),
['List of Applications']=make_set(AppDisplayName),
['Count of Users']=dcount(UserPrincipalName),
['List of Users']=make_set(UserPrincipalName)
by ResourceTenantId
| sort by ['Count of Users'] desc Explanation
This query summarizes the outbound activity of users connecting to other tenants. It lists the users and the applications they are accessing in each remote tenant. The query uses the Azure Active Directory - Signin Logs data connector. It filters the logs for the past 30 days and selects only guest users from the home tenant. It then groups the data by the remote tenant and calculates the count and list of applications accessed, as well as the count and list of users. The results are sorted in descending order based on the count of users.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,UserType,AADTenantId,HomeTenantId,ResourceTenantId,AppDisplayName,UserPrincipalName
Operators
where>ago==!=summarizedcountmake_setbysort