Azure Sign-Ins REST API : Internal Users are shown as Guest User type for certain logins

Maerona Wynn 6 Reputation points
2021-09-11T09:36:20.293+00:00

I am using Azure Sign-in REST API to retrieve the Guest user sign-ins my tenant. But I have retrieved certain sign-ins which are showing the internal users as Guest in User Type attribute. Also absorbed HomeTenantId and ResourceTenantId also differs.

Certain times, while logging in to Azure AD Portal, directory of the previously logged-in tenant are logged in. In that cases TenantId may differ and userType attribute is shown as Guest. But for SharePoint I am not sure of the user Type guest

This is confusing a bit. Any idea on why Internal users are shown as Guest Users

Request : https://graph.microsoft.com/beta/auditLogs/signIns

Sample Response:

{ "id": "$$$$$$",
"createdDateTime": "2021-08-29T10:22:06Z",
"userDisplayName": "user",
"userPrincipalName": "user@cortana.onmicrosoft.com",
"userId": "$$$$$",
"appId": "08e18876-6177-487e-b8b5-cf950c1e598c",
"appDisplayName": "SharePoint Online Web Client Extensibility",
"ipAddress": "$$$$$$",
"ipAddressFromResourceProvider": null,
"clientAppUsed": "",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"correlationId": "*********",
"conditionalAccessStatus": "notApplied",
"originalRequestId": "",
"isInteractive": true,
"tokenIssuerName": "",
"tokenIssuerType": "AzureAD",
"processingTimeInMilliseconds": 173,
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"riskEventTypes": [],
"riskEventTypes_v2": [],
"resourceDisplayName": "Office 365 SharePoint Online",
"resourceId": "$$$$$$$",

"resourceTenantId": "$$$$$$$$$",
"homeTenantId": "#########",

"authenticationMethodsUsed": [],
"authenticationRequirement": "singleFactorAuthentication",
"alternateSignInName": "", "signInIdentifier": "",
"signInIdentifierType": null,
"servicePrincipalName": null,
"signInEventTypes": ["interactiveUser"],
"servicePrincipalId": "",
"userType": "guest",
"flaggedForReview": false,
"isTenantRestricted": false,
"autonomousSystemNumber": 45609,
"crossTenantAccessType": "b2bCollaboration",
"servicePrincipalCredentialKeyId": null,
"servicePrincipalCredentialThumbprint": "",
"mfaDetail": null,
"status": {
"errorCode": 0,
"failureReason": "Other.",
"additionalDetails": null },
"deviceDetail": {
"deviceId": "",
"displayName": "",
"operatingSystem": "Windows 10",
"browser": "Chrome 92.0.4515",
"isCompliant": false,
"isManaged": false,
"trustType": ""
}, "location": {
"city": "Kallimandayam",
"state": "Tamil Nadu",
"countryOrRegion": "IN",
"geoCoordinates": {
"altitude": null,
"latitude": "",
"longitude": ""
}}, "appliedConditionalAccessPolicies": [],
"authenticationProcessingDetails": [{
"key": "Login Hint Present",
"value": "True" },
{
"key": "User certificate authentication level",
"value": "singleFactorAuthentication" } ],
"networkLocationDetails": [],
"authenticationDetails": [],
"authenticationRequirementPolicies": [],
"sessionLifetimePolicies": [],
"privateLinkDetails": {
"policyId": "",
"policyName": "",
"resourceId": "",
"policyTenantId": "" } }

Thanks in Advance

Regards,
Maerona Wynn

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,124 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,181 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,466 Reputation points
    2021-09-13T07:04:22.327+00:00

    Hi @Maerona Wynn • Thank you for reaching out.

    This happens in scenarios where users access Multi-tenant applications, which are registered in different tenant than users' home tenant.

    In the sign-in activity, the field "resourceTenantId": "$$$$$$$$$" represents the tenant where the application is registered and "homeTenantId": "#########" represent the tenant where the user account resides. When the resource and home tenants are different, the userType field is logged as Guest, because the user is coming from a different tenant than the applications tenant.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.