Query Details
Identity Visualize Guest Domains
Query
//Visualize the most popular domains that have redeemed invites to your Azure AD tenant over the last 30 days. //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where TimeGenerated > ago(30d) | where OperationName == "Redeem external user invite" | extend GuestEmail = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ['User Domain'] = tostring(split(GuestEmail, "@")[1]) | where isnotempty(['User Domain']) | summarize Count=count()by ['User Domain'] | sort by Count desc | render barchart
Explanation
This query visualizes the most popular domains that have redeemed invites to your Azure AD tenant in the last 30 days. It uses the Azure Active Directory - Audit Logs data connector. It filters the logs for the "Redeem external user invite" operation, extracts the guest email and user domain, removes any empty domains, counts the occurrences of each domain, and finally sorts and renders the results in a bar chart.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogs,TimeGenerated,OperationName,Redeemexternaluserinvite,InitiatedBy.user,userPrincipalName,GuestEmail,UserDomain,isnotempty,Count,sort,render,barchart
Operators
whereago==extendtostringparse_jsonsplitisnotemptysummarizecountbysort byrender