Forum Discussion
Find users by tag on 365
Hi everyone,
i have a question:
i'm a 365 Defender administrator in a tenant with E5 P2 for every user, and we wanted to gather information about all the users with "sensitive" tag.
i've encountered multiple problems: if i go in asset -> identity and check for "show admins only" i dont really see all the users in all the administrator/sensible groups.
and if i go in settings -> Identities -> Entity Tags -> Sensitive , it's empty.
does anyone know a method to retrieve all the users/accounts tagged with "Sensitive" and/or "domain admin"?
thank you all.
5 Replies
- Hi, we will soon add "Tags" into the Advanced hunting's IdentityInfo table, available in the security.microsoft.com portal, which will allow you to search by that property, stay tuned for the announcement.
Or Tsemah is there any current way or something on is way about matching device tags with user accounts? We have some device tags, and they can be filtered from devices page on MS 365 defender. However, it does not list the user accounts which are associated with those device tags. I need to list user accounts which have exclusion for some apps, and I was only able to list the devices which have these tags, not the employee names.
- The best way i can currently suggest for that scenario would be to use advanced hunting to filter the DeviceInfo table, extracting the relevant LoggedOnUsers by DeviceManualTags and then joining that result with the upcoming Tags column of the IdentityInfo table, feel free to contact me if you wish to discuss this scenario further.
KitsuneMiku If I was able to understand your question, one of these might be an answer for you.
1- Do you have Microsoft Defender for Identity portal? If so, you can get this information from there.
2- Also in MS 365 defender, go to submissions and click to user reported settings from the top right corner. You will see the user tags that you have.thanks you for your answer.
yes, we do have MDI portal (with all the sensors set up), which redirects me to 365 Defender by Default.
i tried to look through your second point, but my user tag section in the user reported settings is completely empty. (i only see priority account applied to 0 users).
i did read that MDI automatically tags some accounts if they're in administrative groups, but i can't really look through some of them (hybrid environment and some groups are not synced and i don't have access to the on-premise infrastructure).
do you have any other suggestion?
thank you.
