Azure Log Analytics – KQL Query Examples

Introduction

You can use Kusto Query Language (KQL) to query Azure logs beyond the default 30-day retention limit when logs are sent to a Log Analytics Workspace.

Below are commonly used KQL examples for Azure AD, Entra ID, Teams, and user auditing.

Check for Azure AD Groups Being Created

AuditLogs
| where Category  == "GroupManagement" and OperationName  == "Add group" //and InitiatedBy.user.userPrincipalName == ""
| project TimeGenerated, OperationName, TargetResources[0].displayName, TargetResources[0].UserPrincipalName, InitiatedBy.user.userPrincipalName

Check for Users Being Added to Groups

AuditLogs
| where OperationName == "Add member to group" and TargetResources contains "[email protected]"
| extend UTC_Time = TimeGenerated
| extend CST_Time = datetime_add('hour', -6, UTC_Time)
| project CST_Time, OperationName, Username = TargetResources[0].userPrincipalName, GroupName = TargetResources[0].modifiedProperties[1].newValue

Search History for a Specific Azure Enterprise Application ID

AuditLogs
| where ActivityDisplayName == "Update application"
| where AdditionalDetails contains "38993b0e-fc90-4d54-9b3a-8068892423ac" //Entra application id
| project TimeGenerated, OperationName, ResultType, UserPrincipalName, IPAddress

Get User Sign-In Logs

SigninLogs
| where UserPrincipalName == "[email protected]"
| project TimeGenerated, UserPrincipalName, AppDisplayName, Location

Get Deleted Users

AuditLogs
| where OperationName == "Delete user"
| project TimeGenerated, ActivityDateTime, OperationName, TargetResources[0].userPrincipalName, InitiatedBy.user.userPrincipalName