Sign In Logs B2B Access Restrictions
Query
SigninLogs
//| where ResultType != 0
//| where ResultSignature == "FAILURE"
//| where CrossTenantAccessType == "passthrough"
| where Status.failureReason == "The resource tenant\'s cross-tenant access policy does not allow this user to access this tenant."
//use something Like AADInternalsOsint to look up ResourceTenantID from AppOwnerTenantId field.
//This query covers B2b. For Tenant Restrictions see the other KQL in this Repo.Explanation
This query is designed to analyze sign-in logs to identify failed login attempts due to cross-tenant access policy restrictions. Here's a simple breakdown of what it does:
-
Data Source: It starts by examining the
SigninLogs, which contain records of sign-in activities. -
Filter Criteria:
- The query is interested in sign-in attempts where the
Status.failureReasonindicates that the resource tenant's cross-tenant access policy is blocking the user from accessing the tenant. This is a specific type of failure reason. - The commented-out lines suggest that the query could also filter for non-zero result types, failed result signatures, and a specific cross-tenant access type ("passthrough"), but these are not active in the current query.
- The query is interested in sign-in attempts where the
-
Additional Analysis:
- There is a suggestion to use a tool or method like
AADInternalsOsintto look up theResourceTenantIDusing theAppOwnerTenantIdfield. This would help identify which tenant's policies are causing the access issue.
- There is a suggestion to use a tool or method like
-
Scope:
- The query is focused on B2B (Business-to-Business) scenarios, where users from one organization are trying to access resources in another organization's tenant.
- It notes that for tenant restrictions, there is another query available in the repository that should be used.
In summary, this query helps identify and analyze failed sign-in attempts due to cross-tenant access policy restrictions in a B2B context.
Details

Jay Kerai
Released: August 15, 2025
Tables
SigninLogs
Keywords
SigninLogs
Operators
SigninLogswhere==!=