New TABL Entry Using Office Activity
Query
let OA = OfficeActivity
| where TimeGenerated > ago(30m)
| where Operation == "New-TenantAllowBlockListItems"
| extend Value = extract(@'{"Name":"Entries","Value":"([^"]+)"', 1, Parameters)
| extend Comments = extract(@'{"Name":"Notes","Value":"([^"]+)"', 1, Parameters)
| extend Expiration = extract(@'{"Name":"NoExpiration","Value":"([^"]+)"', 1, Parameters)
| extend Remove_After = extract(@'{"Name":"RemoveAfter","Value":"([^"]+)"', 1, Parameters)
| extend Block_Type= extract(@'{"Name":"ListType","Value":"([^"]+)"', 1, Parameters)
| extend Is_Blocked= extract(@'{"Name":"Block","Value":"([^"]+)"', 1, Parameters)
| extend Is_Allowed= extract(@'{"Name":"Allow","Value":"([^"]+)"', 1, Parameters)
| extend Submission_User = extract(@'{"Name":"SubmissionUserId","Value":"([^"]+)"', 1, Parameters)
| extend AADSessionId = tostring(AppAccessContext.AADSessionId)
| project OA_Time = TimeGenerated, AADSessionId, Operation, Value, Comments, Expiration, Remove_After, Block_Type, Is_Blocked, Is_Allowed, Submission_User;
//
let SI = union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(2d)
| extend AADSessionId = tostring(SessionId)
| summarize arg_max(TimeGenerated, *) by AADSessionId
| project AADSessionId, UserPrincipalName;
OA
| join kind=leftouter SI on AADSessionId
| extend UserPrincipalName = iif(isempty(AADSessionId), "Unknown", UserPrincipalName)
| extend Submission_User = coalesce(Submission_User, UserPrincipalName)
| project OA_Time, Operation, Value, Comments, Expiration, Remove_After, Block_Type, Is_Blocked, Is_Allowed, Submission_UserExplanation
This query is designed to analyze and correlate data from Office activities related to tenant allow/block list operations with user sign-in logs. Here's a simplified breakdown:
-
Extract Office Activities:
- The query starts by filtering
OfficeActivitylogs to include only those generated in the last 30 minutes where the operation is "New-TenantAllowBlockListItems". - It extracts specific details from the
Parametersfield, such as the value being blocked or allowed, comments, expiration details, block type, and the user who submitted the entry.
- The query starts by filtering
-
Prepare Sign-In Logs:
- It combines data from
SigninLogsandAADNonInteractiveUserSignInLogsfor the last 2 days. - It extracts the Azure Active Directory (AAD) session ID and finds the most recent log entry for each session.
- It combines data from
-
Join and Enhance Data:
- The query performs a left outer join between the Office activities and sign-in logs based on the AAD session ID.
- If the session ID is missing, it assigns "Unknown" to the user principal name.
- It ensures that the
Submission_Userfield is populated, using the user principal name if necessary.
-
Final Output:
- The query projects a final set of columns, including the time of the Office activity, operation details, extracted values, and the user who submitted the entry.
In essence, this query helps identify and understand recent tenant allow/block list operations, linking them to user sign-in activities to provide context on who performed these actions.
Details

Jay Kerai
Released: May 13, 2026
Tables
OfficeActivitySigninLogsAADNonInteractiveUserSignInLogs
Keywords
OfficeActivitySigninLogsAADNonInteractiveUserSignInLogsParametersAppAccessContextAADSessionIdSessionIdUserPrincipalName
Operators
let|where>ago==extendextract@projectunionsummarizearg_maxbyjoinkind=leftouteroniifisemptycoalesce