How to run email alert / report using Entra ID KQL query ?

EnterpriseArchitect 5,036 Reputation points
2024-02-02T06:17:56.1633333+00:00

My Azure tenant is using Entra ID Premium P2 but has no paid Microsoft Sentinel subscription. Under the https://entra.microsoft.com/#view/Microsoft_OperationsManagementSuite_Workspace portal, Monitoring & Health > Log Analytics I can run the query below:

AuditLogs
| where Category =~ "ApplicationManagement"
| where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal")
| where Result =~ "success"
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))
| mv-expand props
| extend UserAgent = tostring(AdditionalDetails[0].value)
| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend DisplayName = tostring(props.displayName)
| extend Permissions = tostring(parse_json(tostring(props.newValue)))
| where Permissions has_any ("full_access_as_app")
| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)
| extend Type = tostring(TargetResources[0].type)
| project-away props
| join kind=leftouter(
  AuditLogs
  | where ActivityDisplayName has "Consent to application"
  | extend AppName = tostring(TargetResources[0].displayName)
  | extend AppId = tostring(TargetResources[0].id)
  | project AppName, AppId, CorrelationId) on CorrelationId
| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress

However, how can I get the result by email?

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
370 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,272 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,351 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 30,251 Reputation points Microsoft Employee
    2024-02-06T08:56:03.6633333+00:00

    @EnterpriseArchitect Thank you for reaching out to us, As I understand you are looking for steps to trigger the result by email (when the query is executed from the log analytics workspace).

    Review the steps mentioned in this QnA post - https://video2.skills-academy.com/en-us/answers/questions/1264499/how-to-receive-email-notification-for-invite-exter which helps to get the result via email.

    Reference: https://video2.skills-academy.com/en-us/azure/azure-monitor/alerts/tutorial-log-alert

    Let me know if you have any further questions, feel free to post back.

    0 comments