Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Logs in Sentinel show all Operation logs for external users only

Copper Contributor

Greetings all

Sentinel in Azure shows all Operation logs only for External users but not for Internal ones.

Is it because of policies or what could be the reason?

 

For example, it shows when a message is sent in Teams from an external user but not from internal.

3 Replies
Is this the OfficeActivity table?

If I run this example (add you email to line 3), I see both users from other companies

OfficeActivity
| where RecordType =~'MicrosoftTeams'
| where UserId !endswith "yourDomain.com"

What have you tried so far?

@Clive_Watson 

 

When I run your query it still shows only external users for Message Sent.

This is OfficeActivity table.

When I try to get all office activity that's on our tenant, Messagesent it's not visible, but when I do the same for external it is visible.

 

 

 

@mmikacand @Clive_Watson , we are trying to query the same OfficeActivity where Operation == 'MessageSent' and not seeing records. Seems like the same issue where only external are showing. Did you ever find a solution? Was there a setting to enable or another log they might be going to?

 

Thanks!