Who invited this Azure AD guest user? Examining who invited a specific a guest account can be quite a challenging question if you don’t have a log analytics workspace in place with Azure AD Audit log forwarding configured.
Kusto queries for your log analytics workspace#
The following queries help you to identify who invited a guest. If you haven’t set-up Azure AD audit log forwarding it’s the right time to do it now as described in one of my previous blogs.
To find all guest invitations:
AuditLogs
| where OperationName == 'Invite external user' and Result == 'success'To find all accepted invitations:
AuditLogs
| where OperationName == 'Invite external user' and Result == 'success'
| extend InvitationId = tostring(AdditionalDetails[0].value)
| join (
AuditLogs
| where OperationName in('Redeem external user invite')
| parse kind=regex TargetResources[0].displayName with * "InvitationId: " InvitationId:string ","
)
on $left.InvitationId == $right.InvitationIdImproving your guest user governance#
To simplify the guest user review and management process I developed a solution which fully automates this process. Additionally the solution populates the user who invited a guest as the guest’s manager which allows you to easily examine the question “Who invited this Azure AD Guest Account?”.
