Who invited this Azure AD guest user? Examining who invited a specific a guest account can be quite a challenging question if you don’t have a log analytics workspace in place with Azure AD Audit log forwarding configured.

Kusto queries for your log analytics workspace

The following queries help you to identify who invited a guest. If you haven’t set-up Azure AD audit log forwarding it’s the right time to do it now as described in one of my previous blogs.

To find all guest invitations:

1
2
AuditLogs
| where OperationName == 'Invite external user' and Result == 'success'

To find all accepted invitations:

1
2
3
4
5
6
7
8
9
AuditLogs 
| where OperationName == 'Invite external user' and Result == 'success'
| extend InvitationId = tostring(AdditionalDetails[0].value)
| join (
   	AuditLogs
	| where OperationName in('Redeem external user invite')
	| parse kind=regex TargetResources[0].displayName with * "InvitationId: " InvitationId:string ","
)
on $left.InvitationId == $right.InvitationId

Improving your guest user governance

To simplify the guest user review and management process I developed a solution which fully automates this process. Additionally the solution populates the user who invited a guest as the guest’s manager which allows you to easily examine the question “Who invited this Azure AD Guest Account?”.

Azure AD guest user review solution