EXPLORE
Sign In
← Back to Explore
kqlHunting

SignInLogs - B2B Access Restrictions

| where ResultType != 0

Detection Query

SigninLogs
//| where ResultType != 0
//| where ResultSignature == "FAILURE"
//| where CrossTenantAccessType == "passthrough"
| where Status.failureReason == "The resource tenant\'s cross-tenant access policy does not allow this user to access this tenant."
//use something Like AADInternalsOsint to look up ResourceTenantID from AppOwnerTenantId field.
//This query covers B2b. For Tenant Restrictions see the other KQL in this Repo.

Data Sources

SigninLogs

Platforms

azure-ad

Tags

entra
Raw Content
SigninLogs
//| where ResultType != 0
//| where ResultSignature == "FAILURE"
//| where CrossTenantAccessType == "passthrough"
| where Status.failureReason == "The resource tenant\'s cross-tenant access policy does not allow this user to access this tenant."
//use something Like AADInternalsOsint to look up ResourceTenantID from AppOwnerTenantId field.
//This query covers B2b. For Tenant Restrictions see the other KQL in this Repo.