Who invited this Azure AD guest user? Examining who invited a specific a guest account can be quite a challenging question if you don’t have a log analytics workspace in place with Azure AD Audit log forwarding configured.
Kusto queries for your log analytics workspace
The following queries help you to identify who invited a guest. If you haven’t set-up Azure AD audit log forwarding it’s the right time to do it now as described in one of my previous blogs.
To find all guest invitations:
AuditLogs | where OperationName == 'Invite external user' and Result == 'success'
To find all accepted invitations:
AuditLogs | where OperationName == 'Invite external user' and Result == 'success' | extend InvitationId = tostring(AdditionalDetails.value) | join ( AuditLogs | where OperationName in('Redeem external user invite') | parse kind=regex TargetResources.displayName with * "InvitationId: " InvitationId:string "," ) on $left.InvitationId == $right.InvitationId
Improving your guest user governance
To simplify the guest user review and management process I developed a solution which fully automates this process. Additionally the solution populates the user who invited a guest as the guest’s manager which allows you to easily examine the question “Who invited this Azure AD Guest Account?”.