Cette requête permet de :
- Auditer les changements liés aux configurations multi-tenant et cross-tenant dans Entra ID.
- Identifier les initiateurs (utilisateurs ou apps) et leur IP.
- Extraire les détails des politiques modifiées, y compris les identifiants de partenaires et les tenants impliqués.
AuditLogs
| where Category in ("CrossTenantAccessSettings", "CrossTenantIdentitySyncSettings", "MultiTenantOrgTenant", "MultiTenantOrgIdentitySyncPolicyTemplate", "MultiTenantOrgPartnerConfigurationTemplate")
or OperationName has_any ("cross-tenant", "MultiTenantOrg", "multi tenant org")
| extend
Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| mv-expand TargetResource = iff(array_length(TargetResources) == 0, dynamic([""]), TargetResources)
| mv-apply modifiedProperty = TargetResource["modifiedProperties"] on (
summarize NewValues = make_bag(
bag_pack(tostring(modifiedProperty["displayName"]), trim(@'[\"\s]+', tostring(modifiedProperty["newValue"]))))
)
| extend
PartnerIdentifier = tostring(NewValues["PartnerIdentifier"]),
PartnerPolicyType = tostring(NewValues["PartnerPolicyType"]),
PartnerPolicyDetail = tostring(NewValues["PartnerPolicyDetail"]),
PartnerPolicyDetailVersion = tostring(NewValues["PartnerPolicyDetailVersion"]),
MultiTenantOrgAddedByTenantId = tostring(NewValues["MultiTenantOrgAddedByTenantId"])
| project
TimeGenerated,
LoggedByService,
Category,
AADOperationType,
Initiator,
IPAddress,
OperationName,
Result,
ResultDescription,
PartnerIdentifier,
PartnerPolicyType,
PartnerPolicyDetail,
PartnerPolicyDetailVersion,
MultiTenantOrgAddedByTenantId,
NewValues,
AdditionalDetails,
Identity,
InitiatorId,
InitiatedBy,
TargetResources,
CorrelationId
Laisser un commentaire