Query Details
Identity Your Users Signing Into Other Tenants As Guests
Query
//Find sign ins where your users signed into other Azure AD tenants as outbound guests
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where AADTenantId == HomeTenantId
| where ResourceTenantId != AADTenantId
| where UserType == "Guest"
| project
TimeGenerated,
AppDisplayName,
UserPrincipalName,
ResultType,
Location,
IPAddress,
['Guest Tenant Id']=ResourceTenantIdExplanation
This query is looking for sign-ins where your users signed into other Azure AD tenants as outbound guests. It requires the Azure Active Directory - Signin Logs data connector. The query filters the sign-in logs based on the user's home tenant ID and checks if the resource tenant ID is different from the user's tenant ID. It also filters for users with the user type "Guest". The query then projects the time generated, app display name, user principal name, result type, location, IP address, and the guest tenant ID.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
SigninLogs,AADTenantId,HomeTenantId,ResourceTenantId,UserType,TimeGenerated,AppDisplayName,UserPrincipalName,ResultType,Location,IPAddress
Operators
where==!=project