Teams Allowed Domains
Query
CloudAppEvents
| where ActionType == "TeamsAdminAction"
| where RawEventData has "AllowedDomains"
| extend ModifiedProperties = parse_json(RawEventData).ModifiedProperties
| mv-apply ModifiedProperties on
(
where ModifiedProperties.Name == "AllowedDomains"
| project
PropertyName = tostring(ModifiedProperties.Name),
NewValue = tostring(ModifiedProperties.NewValue),
OldValue = tostring(ModifiedProperties.OldValue)
)
| project
TimeGenerated,
ActionType,
AccountDisplayName,
PropertyName,
OldValue,
NewValue,
RawEventDataAbout this query
Teams - Allowed Domains
Query Information
Description
This query identifies Microsoft Teams admin changes to the AllowedDomains external access setting. It helps track when trusted Microsoft 365 domains are added, removed, or modified, which affects which external organizations your users are permitted to chat and meet with.
References
Author
- Alex Verboon
Defender XDR
Explanation
This KQL query is designed to monitor changes made by Microsoft Teams administrators to the "AllowedDomains" setting, which controls which external Microsoft 365 domains are trusted for communication. Here's a simple breakdown of what the query does:
-
Data Source: It pulls data from
CloudAppEvents, which logs various actions within cloud applications. -
Filter by Action: It filters the events to only include those where the action type is "TeamsAdminAction", indicating administrative changes in Microsoft Teams.
-
Focus on AllowedDomains: It further narrows down the events to those that involve changes to the "AllowedDomains" setting by checking if the
RawEventDatacontains this term. -
Extract Changes: The query extracts details about what was changed in the "AllowedDomains" setting:
- It parses the
RawEventDatato get theModifiedProperties. - It specifically looks for changes where the property name is "AllowedDomains".
- For each change, it captures the old value and the new value of the "AllowedDomains".
- It parses the
-
Output: Finally, it presents the results with the following details:
TimeGenerated: When the change occurred.ActionType: The type of action, which is "TeamsAdminAction".AccountDisplayName: The name of the account that made the change.PropertyName: The name of the property changed, which is "AllowedDomains".OldValue: The previous setting value.NewValue: The updated setting value.RawEventData: The raw data of the event for additional context.
This query helps organizations track and audit changes to the domains that are allowed for external communication in Microsoft Teams, ensuring that only trusted domains are permitted.
Details

Alex Verboon
Released: June 1, 2026
Tables
Keywords
Operators