KQL Search

Query Details

Office Activity Teams Role Changes

Query

//Detect when the role for a user changes to owner or back to standard member in your any of your Teams

//Data connector required for this query - Office 365

OfficeActivity
| where Operation == "MemberRoleChanged"
| mv-expand Members
| extend User = tostring(Members.UPN)
| extend x = tostring(Members.Role)
| extend Action = case(x == "1", strcat("User changed to member"),
    x == "2", strcat("User changed to owner"), "unknown")
| where Action in ("User changed to member", "User changed to owner")
| project
    TimeGenerated,
    TeamName,
    ActorType=UserType,
    Actor=UserId,
    UserAdded=User,
    Action

Explanation

This query detects when a user's role changes to owner or back to standard member in any of your Teams. It requires the Office 365 data connector. The query filters for the "MemberRoleChanged" operation, expands the "Members" field, and extracts the user's email and role. It then categorizes the action based on the role change and filters for actions where the role changed to member or owner. The query projects the time generated, team name, actor type, actor ID, user added, and action.

Details

Matt Zorich

Released: June 17, 2022

Tables

OfficeActivity

Keywords

OfficeActivity,Operation,MemberRoleChanged,Members,UPN,Role,User,Action,TimeGenerated,TeamName,ActorType,UserType,Actor,UserId,UserAdded

Operators

wheremv-expandextendcaseinproject

KQL Search

Office Activity Teams Role Changes

Query

Explanation

Details

Actions