Guest Sign-Ins

Posted by

The permissions to read your own Azure AD sign-ins don’t stop at the normal Azure AD account. You can also read your sign-ins as a B2B guest.

In this article, the expression “Home Tenant” is used to denote the tenant where the Azure AD account of the user resides. The expression “Inviting Tenant” is used for the tenant where the B2B Guest account of the user resides.

For the end user view, simply add the Inviting Tenant ID to the URL, like this: "https://mysignins.microsoft.com/?tenant=766be2d4-f169-4e66-82f5-5a1c7d162a19". Then log on to your B2B guest account (see below on how to find the Inviting Tenant ID). But what if you are interested in the additional information you get with the administrator’s view?

Only in the exceptional and very rare case that a guest user has been promoted to user type “Member” and the Inviting Tenant does not restrict access to the Azure AD administration portal can a guest user access her own sign-ins in the Azure Portal. Strictly speaking, this user is no longer a guest user in the Inviting Tenant, but rather an “External Azure Active Directory user with user type Member”. You can get to your guest sign-ins by signing in to the Azure portal using the credentials from the Home Tenant, then choosing the Inviting Tenant in the Switch Directory Menu in the upper right corner. Once the focus is on the Inviting Tenant, navigate to your own guest identity and choose “Sign-Ins” under Activity.

But normally, the guest user has not been promoted to user type Member and/or access to the Azure AD administrative portal is restricted in the Inviting Tenant. So, what then? Like in the normal user case, Graph API helps.

First, you have to find the Tenant ID of the Inviting Tenant and the Object ID of the guest account therein. The PowerShell script to dump your sign-ins from the Inviting Tenant is identical to the PowerShell script from the user account in the Home Tenant. Modify the script by setting the variables for the Tenant ID and the Object ID accordingly at the beginning of the script. The Graph API is called as follows:

"https://graph.microsoft.com/beta/auditLogs/signIns?api-version=beta&$filter=(userId eq 'YourObjectIDgoeshere')"

Download the Powershell script Get-AzureADSignIns-MSGraph.ps1 as zip file.

The script logs you in directly to the Inviting Tenant using the guest account. So the login experience is similar to the login experience from Azure CLI. First, you get a prompt with the branding from the Inviting Tenant.

Ignore the branding and enter your user name from your Home Tenant. The password prompt branding will be from your Home Tenant.

This direct login to the Inviting Tenant bypasses Conditional Access in your Home Tenant.

So you do not get an MFA prompt from your Home Tenant, even if Conditional Access is set up to require MFA for you. But you might get an MFA prompt from the Inviting Tenant, if the Inviting Tenant requires MFA for your guest account. But, just to confuse you, the branding from this MFA prompt is from your Home Tenant. (See the article How to tell wich tenant prompts for MFA for more details.)

After a successful logon with your guest account in the Inviting Tenant, the script will run and dump your sign-ins into a csv file.

Oh, and by the way: check out the column “appliedConditionalAccessPolicies” in the csv output. This might be worth more than a side note, but here you go. You get some pieces of information about the Conditional access rules that are set up in the Inviting Tenant: the list of all rules, their names, some information about the grant controls and whether or not a rule was applied to the sign-in.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s