Forum Discussion
Dynamics365 - Check user's group membership
- Dec 21, 2021If you use Microsoft Sentinel UEBA - https://docs.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics you have access to the IdentityInfo table which you can use to leverage group membership, then do a rightanti join to your D365 tables. Something like this - IdentityInfo 
 | where TimeGenerated > ago(21d)
 | summarize arg_max(TimeGenerated, *) by AccountUPN
 | mv-expand GroupMembership
 | where GroupMembership has_any ("Group x", "Group y", "Group z")
 | project AccountUPN
 | join kind=rightanti( 
 Dynamics365| where your query here | project UserId ) on $left.AccountUPN==$right.UserId Rightanti will return results from only the right table (your dynamics query) who aren't in the left table (members of your groups). 
If you use Microsoft Sentinel UEBA - https://docs.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics you have access to the IdentityInfo table which you can use to leverage group membership, then do a rightanti join to your D365 tables.
Something like this -
IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| mv-expand GroupMembership
| where GroupMembership has_any ("Group x", "Group y", "Group z")
| project AccountUPN
| join kind=rightanti
(
Dynamics365
| where your query here
| project UserId
) on $left.AccountUPN==$right.UserId
Rightanti will return results from only the right table (your dynamics query) who aren't in the left table (members of your groups).