EXPLORE
Sign In
← Back to Explore
kqlHunting

Audit B2B Guest Devices Trust Type

Shouthout johannesblog.com for the idea

Detection Query

//Shouthout johannesblog.com for the idea
SigninLogs
//| where AppDisplayName =~ "Microsoft Teams"
| extend TrustType = tostring(DeviceDetail.trustType)
| where CrossTenantAccessType == @"b2bCollaboration"
| where AADTenantId != HomeTenantId //exclude B2b outbound
| where UserType == "Guest"
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, TrustType,
          DeviceId = tostring(DeviceDetail.deviceId),
          DeviceName = tostring(DeviceDetail.displayName),
          OperatingSystem = tostring(DeviceDetail.operatingSystem),
          Browser = tostring(DeviceDetail.browser),
          ConditionalAccessStatus, ResultType, ResultDescription
| order by TimeGenerated desc

Data Sources

SigninLogs

Platforms

azure-ad

Tags

entra
Raw Content
//Shouthout johannesblog.com for the idea
SigninLogs
//| where AppDisplayName =~ "Microsoft Teams"
| extend TrustType = tostring(DeviceDetail.trustType)
| where CrossTenantAccessType == @"b2bCollaboration"
| where AADTenantId != HomeTenantId //exclude B2b outbound
| where UserType == "Guest"
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, TrustType,
          DeviceId = tostring(DeviceDetail.deviceId),
          DeviceName = tostring(DeviceDetail.displayName),
          OperatingSystem = tostring(DeviceDetail.operatingSystem),
          Browser = tostring(DeviceDetail.browser),
          ConditionalAccessStatus, ResultType, ResultDescription
| order by TimeGenerated desc