question

MaeronaWynn-8295 avatar image
0 Votes"
MaeronaWynn-8295 asked saldana-msft edited

Azure Sign-Ins REST API : Internal Users are shown as Guest User type for certain logins

I am using Azure Sign-in REST API to retrieve the Guest user sign-ins my tenant. But I have retrieved certain sign-ins which are showing the internal users as Guest in User Type attribute. Also absorbed HomeTenantId and ResourceTenantId also differs.

Certain times, while logging in to Azure AD Portal, directory of the previously logged-in tenant are logged in. In that cases TenantId may differ and userType attribute is shown as Guest. But for SharePoint I am not sure of the user Type guest

This is confusing a bit. Any idea on why Internal users are shown as Guest Users

Request : https://graph.microsoft.com/beta/auditLogs/signIns

Sample Response:

{ "id": "$$$$$$",
"createdDateTime": "2021-08-29T10:22:06Z",
"userDisplayName": "user",
"userPrincipalName": "user@cortana.onmicrosoft.com",
"userId": "$$$$$",
"appId": "08e18876-6177-487e-b8b5-cf950c1e598c",
"appDisplayName": "SharePoint Online Web Client Extensibility",
"ipAddress": "$$$$$$",
"ipAddressFromResourceProvider": null,
"clientAppUsed": "",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"correlationId": "*",
"conditionalAccessStatus": "notApplied",
"originalRequestId": "",
"isInteractive": true,
"tokenIssuerName": "",
"tokenIssuerType": "AzureAD",
"processingTimeInMilliseconds": 173,
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"riskEventTypes": [],
"riskEventTypes_v2": [],
"resourceDisplayName": "Office 365 SharePoint Online",
"resourceId": "$$$$$$$",

"resourceTenantId": "$$$$$$$$$",
"homeTenantId": "#########",

"authenticationMethodsUsed": [],
"authenticationRequirement": "singleFactorAuthentication",
"alternateSignInName": "", "signInIdentifier": "",
"signInIdentifierType": null,
"servicePrincipalName": null,
"signInEventTypes": ["interactiveUser"],
"servicePrincipalId": "",
"userType": "guest",
"flaggedForReview": false,
"isTenantRestricted": false,
"autonomousSystemNumber": 45609,
"crossTenantAccessType": "b2bCollaboration",
"servicePrincipalCredentialKeyId": null,
"servicePrincipalCredentialThumbprint": "",
"mfaDetail": null,
"status": {
"errorCode": 0,
"failureReason": "Other.",
"additionalDetails": null },
"deviceDetail": {
"deviceId": "",
"displayName": "",
"operatingSystem": "Windows 10",
"browser": "Chrome 92.0.4515",
"isCompliant": false,
"isManaged": false,
"trustType": ""
}, "location": {
"city": "Kallimandayam",
"state": "Tamil Nadu",
"countryOrRegion": "IN",
"geoCoordinates": {
"altitude": null,
"latitude": "",
"longitude": ""
}}, "appliedConditionalAccessPolicies": [],
"authenticationProcessingDetails": [{
"key": "Login Hint Present",
"value": "True" },
{
"key": "User certificate authentication level",
"value": "singleFactorAuthentication" } ],
"networkLocationDetails": [],
"authenticationDetails": [],
"authenticationRequirementPolicies": [],
"sessionLifetimePolicies": [],
"privateLinkDetails": {
"policyId": "",
"policyName": "",
"resourceId": "",
"policyTenantId": "" } }


Thanks in Advance

Regards,
Maerona Wynn


azure-active-directorymicrosoft-graph-identityazure-ad-sign-in-logs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @MaeronaWynn-8295 • Thank you for reaching out.

This happens in scenarios where users access Multi-tenant applications, which are registered in different tenant than users' home tenant.

In the sign-in activity, the field "resourceTenantId": "$$$$$$$$$" represents the tenant where the application is registered and "homeTenantId": "#########" represent the tenant where the user account resides. When the resource and home tenants are different, the userType field is logged as Guest, because the user is coming from a different tenant than the applications tenant.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @MaeronaWynn-8295 • Just checking if you have any further question.

0 Votes 0 ·