KQL Search

This query is designed to analyze sign-in logs to identify failed login attempts due to cross-tenant access policy restrictions. Here's a simple breakdown of what it does:

1. Data Source: It starts by examining the SigninLogs, which contain records of sign-in activities.

2. Filter Criteria:

   • The query is interested in sign-in attempts where the Status.failureReason indicates that the resource tenant's cross-tenant access policy is blocking the user from accessing the tenant. This is a specific type of failure reason.
   • The commented-out lines suggest that the query could also filter for non-zero result types, failed result signatures, and a specific cross-tenant access type ("passthrough"), but these are not active in the current query.

3. Additional Analysis:

   • There is a suggestion to use a tool or method like AADInternalsOsint to look up the ResourceTenantID using the AppOwnerTenantId field. This would help identify which tenant's policies are causing the access issue.

4. Scope:

   • The query is focused on B2B (Business-to-Business) scenarios, where users from one organization are trying to access resources in another organization's tenant.
   • It notes that for tenant restrictions, there is another query available in the repository that should be used.

In summary, this query helps identify and analyze failed sign-in attempts due to cross-tenant access policy restrictions in a B2B context.