Dynamics365 - Check user's group membership


Hi all,

I have a customer who wants an analytics rule to trigger if a CRUD operation is done by a user who is NOT part of the groups x, y and z.

Can this be done through KQL query, or would the solution be to create a logic app that triggers on every CRUD operation?

2 Replies
best response confirmed by Larssen92 (Contributor)
Microsoft Verified Best Answer



If you use Microsoft Sentinel UEBA - you have access to the IdentityInfo table which you can use to leverage group membership, then do a rightanti join to your D365 tables.


Something like this - 


| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| mv-expand GroupMembership
| where GroupMembership has_any ("Group x", "Group y", "Group z")
| project AccountUPN
| join kind=rightanti


| where your query here

| project UserId

) on $left.AccountUPN==$right.UserId


Rightanti will return results from only the right table (your dynamics query) who aren't in the left table (members of your groups).



Thanks, that was exactly what I was looking for!