Query Details
Identity Visualize External AAD Guestsvs External Guests
Query
//Visualize signins from External Azure AD guests (those that belong to another Azure AD tenant) vs External Guests (such as Gmail) to your tenant
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago (45d)
| where UserType == "Guest"
| summarize
['External Guests']=countif(ResourceTenantId == HomeTenantId),
['External Azure AD Guests']=countif(ResourceTenantId != HomeTenantId)
by bin(TimeGenerated, 1d)
| render timechart with (title="External Azure AD Guests vs External Guests", ytitle="Count")
Explanation
This query is used to visualize the number of sign-ins from external guests in your Azure AD tenant. It compares sign-ins from external Azure AD guests (guests from another Azure AD tenant) to sign-ins from external guests using Gmail or other email providers. The query uses the Azure Active Directory - Signin Logs data connector. It filters the sign-in logs for the past 45 days and selects only the sign-ins from guest users. It then summarizes the count of sign-ins from external guests and external Azure AD guests on a daily basis. The results are displayed in a timechart with the title "External Azure AD Guests vs External Guests" and the y-axis labeled as "Count".
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,UserType,ResourceTenantId,HomeTenantId
Operators
whereago==summarizecountif!=bybinrender