KQL Search

Query Details

HomeAI ToolsDevice Query

Teams Allowed Domains

Query

# Teams - Allowed Domains

![KQL](https://img.shields.io/badge/language-KQL-blue.svg)
![Status: Stable](https://img.shields.io/badge/status-stable-brightgreen.svg)

## Query Information

### Description

This query identifies Microsoft Teams admin changes to the `AllowedDomains` external access setting. It helps track when trusted Microsoft 365 domains are added, removed, or modified, which affects which external organizations your users are permitted to chat and meet with.

#### References

- [Teams - Specify trusted Microsoft 365 organizations](https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings#specify-trusted-microsoft-365-organizations)

### Author

- **Alex Verboon**

## Defender XDR

```kql
CloudAppEvents
| where ActionType == "TeamsAdminAction"
| where RawEventData has "AllowedDomains"
| extend ModifiedProperties = parse_json(RawEventData).ModifiedProperties
| mv-apply ModifiedProperties on
(
    where ModifiedProperties.Name == "AllowedDomains"
    | project 
        PropertyName = tostring(ModifiedProperties.Name),
        NewValue = tostring(ModifiedProperties.NewValue),
        OldValue = tostring(ModifiedProperties.OldValue)
)
| project 
    TimeGenerated,
    ActionType,
    AccountDisplayName,
    PropertyName,
    OldValue,
    NewValue,
    RawEventData
```

Explanation

This KQL query is designed to monitor changes made by Microsoft Teams administrators to the "AllowedDomains" setting, which controls which external Microsoft 365 domains are trusted for communication. Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from CloudAppEvents, which logs various actions within cloud applications.

  2. Filter by Action: It filters the events to only include those where the action type is "TeamsAdminAction", indicating administrative changes in Microsoft Teams.

  3. Focus on AllowedDomains: It further narrows down the events to those that involve changes to the "AllowedDomains" setting by checking if the RawEventData contains this term.

  4. Extract Changes: The query extracts details about what was changed in the "AllowedDomains" setting:

    • It parses the RawEventData to get the ModifiedProperties.
    • It specifically looks for changes where the property name is "AllowedDomains".
    • For each change, it captures the old value and the new value of the "AllowedDomains".

  5. Output: Finally, it presents the results with the following details:

    • TimeGenerated: When the change occurred.
    • ActionType: The type of action, which is "TeamsAdminAction".
    • AccountDisplayName: The name of the account that made the change.
    • PropertyName: The name of the property changed, which is "AllowedDomains".
    • OldValue: The previous setting value.
    • NewValue: The updated setting value.
    • RawEventData: The raw data of the event for additional context.

This query helps organizations track and audit changes to the domains that are allowed for external communication in Microsoft Teams, ensuring that only trusted domains are permitted.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 1, 2026

Tables

CloudAppEvents

Keywords

CloudAppEventsTeamsAdminActionAllowedDomainsModifiedPropertiesTimeGeneratedAccountDisplayNamePropertyNameNewValueOldValueRawEventData

Operators

|wherehasextendparse_jsonmv-applyonprojecttostring

Actions