Logs in Sentinel show all Operation logs for external users only

Copper Contributor

Greetings all

Sentinel in Azure shows all Operation logs only for External users but not for Internal ones.

Is it because of policies or what could be the reason?


For example, it shows when a message is sent in Teams from an external user but not from internal.

2 Replies
Is this the OfficeActivity table?

If I run this example (add you email to line 3), I see both users from other companies

| where RecordType =~'MicrosoftTeams'
| where UserId !endswith "yourDomain.com"

What have you tried so far?



When I run your query it still shows only external users for Message Sent.

This is OfficeActivity table.

When I try to get all office activity that's on our tenant, Messagesent it's not visible, but when I do the same for external it is visible.