Who invited this Azure AD guest user?

1 minute read

Who invited this Azure AD guest user? Examining who invited a specific a guest account can be quite a challenging question if you don’t have a log analytics workspace in place with Azure AD Audit log forwarding configured.

Kusto queries for your log analytics workspace

The following queries help you to identify who invited a guest. If you haven’t set-up Azure AD audit log forwarding it’s the right time to do it now as described in one of my previous blogs.

To find all guest invitations:

AuditLogs
| where OperationName == 'Invite external user' and Result == 'success'

To find all accepted invitations:

AuditLogs 
| where OperationName == 'Invite external user' and Result == 'success'
| extend InvitationId = tostring(AdditionalDetails[0].value)
| join (
   	AuditLogs
	| where OperationName in('Redeem external user invite')
	| parse kind=regex TargetResources[0].displayName with * "InvitationId: " InvitationId:string ","
)
on $left.InvitationId == $right.InvitationId

Improving your guest user governance

To simplify the guest user review and management process I developed a solution which fully automates this process. Additionally the solution populates the user who invited a guest as the guest’s manager which allows you to easily examine the question “Who invited this Azure AD Guest Account?”.

Azure AD guest user review solution

Twitter Facebook LinkedIn

Nicola Suter

Who invited this Azure AD guest user?

Kusto queries for your log analytics workspace

Improving your guest user governance

Comments

You May Also Enjoy

Have you considered TPM key attestation?

Automatically sign your PowerShell scripts with GitHub actions

Securely sending emails from PowerShell scripts with modern authentication enforced

Dealing with Intune OMA-URI encoding and applocker rules