IdentityInfo not available via /api/advancedqueries

Occasional Contributor


I created a query in the advanced hunting interface from

It accesses the tables DeviceInfo and IdentityInfo and gets out the eMail of the last logged in User.

Now I wanted to create a script to load this data in a nightly job in a database like I already do with other data from the API.

But querying the IdentityInfo fails, because the table is not visible via the advancedqueries-API !

I boiled it down to just query the table (target is redacted by me) :

Query =  'IdentityInfo ' gives: "POST /api/advancedqueries/run HTTP/1.1" 400 213

{"error":{"code":"BadRequest","message":"\'\' operator: Failed to resolve table or column or scalar expression named \'IdentityInfo\'. Fix semantic errors in your query","target":"xxxxxxxxxx"}}'


I thought the advanced-queries API should support all the Hunting queries.

Even here the table IdentityInfo is regarded as an example :

Best practices for leveraging Microsoft 365 Defender API's - Episode One - Microsoft Tech Community


0 Replies