Forum Discussion
Solved
Azure Log Analytics Office 365 ProPlus Product Version Information
Hi. Requesting assistance to write a query for Azure Log Analytics (as part of Windows Analytics for an environment) to determine details for Office 365 ProPlus versions in the environment. Initially...
All of that data are in Tables that start with "UA", so we can search in just those. I needed to go back in the demo data, so used 60days, you can change this for your data.
search in (UA*) "Office 365 ProPlus" | where TimeGenerated > ago(60d) | summarize count() by TypeGo to Log Analytics and Run Query
Type count_ UAProposedActionPlan 468 UAApp 7001 From that result, UAApp Table looks promising:
UAApp | where TimeGenerated > ago(60d) | where AppVendor == "Microsoft Corporation" | where AppName startswith "Microsoft Office 365" | summarize count() by Computer, AppVersion , AppNameGo to Log Analytics and Run Query
Computer AppVersion AppName count_ SavannaRh-Dsk.Contoso 15.0.5163.1000 Microsoft Office 365 ProPlus - en-us 24 RobertHi-Corp.Contoso 15.0.5153.1000 Microsoft Office 365 ProPlus - en-us 34 Terminal73.Contoso 16.0.11901.20094 Microsoft Office 365 ProPlus - en-us 38 DebbieDi-Sales.Contoso 16.0.11901.20176 Microsoft Office 365 ProPlus - en-us 29 BeverlySm-Dsktp.Contoso 15.0.5127.1000 Microsoft Office 365 ProPlus - en-us 38 PeggyLe-Win.Contoso 16.0.11328.20368 Microsoft Office 365 - en-us 38 KimberlyLe-Corp.Contoso 16.0.11901.20176 Microsoft Office 365 ProPlus - en-us 23 Jaime-Box.Contoso 15.0.5127.1000 Microsoft Office 365 ProPlus - en-us 34 TuSharon-Work.Contoso 16.0.11727.20244 Microsoft Office 365 ProPlus - en-us 38 MichaelSa-Dsktp.Contoso 16.0.12013.20000 Microsoft Office 365 ProPlus - en-us 10 or
UAApp | where TimeGenerated > ago(30d) | where AppVendor == "Microsoft Corporation" | where AppName startswith "Microsoft Office 365 ProPlus" | summarize count(Computer) by AppVersion | sort by count_Computer desc | render barchart
CliveWatson
Microsoft
Microsoft
All of that data are in Tables that start with "UA", so we can search in just those. I needed to go back in the demo data, so used 60days, you can change this for your data.
search in (UA*) "Office 365 ProPlus"
| where TimeGenerated > ago(60d)
| summarize count() by Type Go to Log Analytics and Run Query
| Type | count_ |
|---|---|
| UAProposedActionPlan | 468 |
| UAApp | 7001 |
From that result, UAApp Table looks promising:
UAApp
| where TimeGenerated > ago(60d)
| where AppVendor == "Microsoft Corporation"
| where AppName startswith "Microsoft Office 365"
| summarize count() by Computer, AppVersion , AppName
Go to Log Analytics and Run Query
| Computer | AppVersion | AppName | count_ |
|---|---|---|---|
| SavannaRh-Dsk.Contoso | 15.0.5163.1000 | Microsoft Office 365 ProPlus - en-us | 24 |
| RobertHi-Corp.Contoso | 15.0.5153.1000 | Microsoft Office 365 ProPlus - en-us | 34 |
| Terminal73.Contoso | 16.0.11901.20094 | Microsoft Office 365 ProPlus - en-us | 38 |
| DebbieDi-Sales.Contoso | 16.0.11901.20176 | Microsoft Office 365 ProPlus - en-us | 29 |
| BeverlySm-Dsktp.Contoso | 15.0.5127.1000 | Microsoft Office 365 ProPlus - en-us | 38 |
| PeggyLe-Win.Contoso | 16.0.11328.20368 | Microsoft Office 365 - en-us | 38 |
| KimberlyLe-Corp.Contoso | 16.0.11901.20176 | Microsoft Office 365 ProPlus - en-us | 23 |
| Jaime-Box.Contoso | 15.0.5127.1000 | Microsoft Office 365 ProPlus - en-us | 34 |
| TuSharon-Work.Contoso | 16.0.11727.20244 | Microsoft Office 365 ProPlus - en-us | 38 |
| MichaelSa-Dsktp.Contoso | 16.0.12013.20000 | Microsoft Office 365 ProPlus - en-us | 10 |
or
UAApp
| where TimeGenerated > ago(30d)
| where AppVendor == "Microsoft Corporation"
| where AppName startswith "Microsoft Office 365 ProPlus"
| summarize count(Computer) by AppVersion
| sort by count_Computer desc
| render barchart
CliveWatson Thank you for the example and explanation. This is helpful.
