Entra ID - Access Review Activities
Azure AD Access Reviews
Query
AuditLogs
| where Category == "Policy"
| where OperationName == "Deny decision"
| extend AccessReview = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend TargetUser = tostring(TargetResources[2].userPrincipalName)About this query
Explanation
The query retrieves Entra ID Access Review activities from the AuditLogs in Microsoft Sentinel. It includes queries for deny decisions, approval decisions, bulk approval, delete access review, and create access review. The queries filter the logs based on the category and operation name, and extract relevant information such as access review name, initiated by user, target user, and IP address.
Details

Alex Verboon
Released: November 2, 2023
Tables
AuditLogs
Keywords
DevicesIntuneUser
Operators
whereCategory=="Policy"OperationName"Deny decision"extendAccessReview=tostring(TargetResources[0].displayName)InitiatedBytostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)TargetUsertostring(TargetResources[2].userPrincipalName)"Approve decision""Bulk Approve decisions""Delete access review"AccessReviewNameIPAddresstostring(AdditionalDetails[3].value)projectTimeGenerated"Create access review"tostring(TargetResources[1].displayName)IPAddress.