├── .gitignore
├── Entra Guest Account Discovery
├── Entra ID Guest Account Discovery.workbook
└── readme.md
├── Global Secure Access Unified Dashboard
├── Global Secure Access Unified Dashboard.workbook
└── readme.md
├── Intune Change Tracking
├── .DS_Store
├── Intune change tracking.workbook
└── readme.md
├── Intune macOS Templates
├── Compliance-Default.json
├── Custom-MDEOnboardingSettings.json
├── README.md
├── SettingsCatalog-BasicSecurityHardening.json
├── SettingsCatalog-Edge.json
├── SettingsCatalog-MicrosoftAutoUpdate.json
└── SettingsCatalog-PlatformSSO.json
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 |
--------------------------------------------------------------------------------
/Entra Guest Account Discovery/Entra ID Guest Account Discovery.workbook:
--------------------------------------------------------------------------------
1 | {
2 | "version": "Notebook/1.0",
3 | "items": [
4 | {
5 | "type": 1,
6 | "content": {
7 | "json": "# Entra ID Guest Account Discovery\n---\nThe Entra ID Guest Account Workbook provides real-time insights into guest sign-in activity, leveraging the timerange variable for flexible log analysis. It includes advanced log search, visualization tools, and a Home Tenant ID lookup, converting Tenant IDs into domain names for better identification.\n\nDesigned for security monitoring and access insights, this workbook enhances guest user tracking, risk analysis, and anomaly detection. - Version 1.0\n\nPowered by oceanleaf.ch 🌱\n"
8 | },
9 | "name": "text - 2"
10 | },
11 | {
12 | "type": 9,
13 | "content": {
14 | "version": "KqlParameterItem/1.0",
15 | "parameters": [
16 | {
17 | "id": "3ddd1ae6-1026-4b3e-8f28-2e5d372b926e",
18 | "version": "KqlParameterItem/1.0",
19 | "name": "timerange",
20 | "label": "Timerange",
21 | "type": 4,
22 | "description": "Choose a custom time range for the queries.",
23 | "isRequired": true,
24 | "isGlobal": true,
25 | "typeSettings": {
26 | "selectableValues": [
27 | {
28 | "durationMs": 900000
29 | },
30 | {
31 | "durationMs": 3600000
32 | },
33 | {
34 | "durationMs": 86400000
35 | },
36 | {
37 | "durationMs": 172800000
38 | },
39 | {
40 | "durationMs": 604800000
41 | },
42 | {
43 | "durationMs": 1209600000
44 | },
45 | {
46 | "durationMs": 2592000000
47 | },
48 | {
49 | "durationMs": 5184000000
50 | },
51 | {
52 | "durationMs": 7776000000
53 | }
54 | ],
55 | "allowCustom": true
56 | },
57 | "timeContext": {
58 | "durationMs": 86400000
59 | },
60 | "value": {
61 | "durationMs": 5184000000
62 | }
63 | }
64 | ],
65 | "style": "pills",
66 | "queryType": 0,
67 | "resourceType": "microsoft.operationalinsights/workspaces"
68 | },
69 | "name": "parameters - 3"
70 | },
71 | {
72 | "type": 11,
73 | "content": {
74 | "version": "LinkItem/1.0",
75 | "style": "tabs",
76 | "links": [
77 | {
78 | "id": "2d35410d-c3e0-4a98-a81b-947280c03caa",
79 | "cellValue": "selTab",
80 | "linkTarget": "parameter",
81 | "linkLabel": "Overview ⭐️",
82 | "subTarget": "overview",
83 | "preText": "Overview",
84 | "style": "link"
85 | },
86 | {
87 | "id": "53f6c634-4f72-4cb4-96cb-dd16c24956fe",
88 | "cellValue": "selTab",
89 | "linkTarget": "parameter",
90 | "linkLabel": "Origin Tenant Lookup 🕵️♂️",
91 | "subTarget": "origintenant",
92 | "preText": "Guest Origin Tenant Lookup",
93 | "style": "link"
94 | },
95 | {
96 | "id": "af31facd-ffeb-43b4-8f0a-132c1c2522c7",
97 | "cellValue": "selTab",
98 | "linkTarget": "parameter",
99 | "linkLabel": "Search 🔎",
100 | "subTarget": "search",
101 | "style": "link"
102 | },
103 | {
104 | "id": "c5d3535a-ada9-49fb-a09a-1bcf74880603",
105 | "cellValue": "selTab",
106 | "linkTarget": "parameter",
107 | "linkLabel": "Stale Guest Account Discovery 💀",
108 | "subTarget": "stale",
109 | "style": "link"
110 | }
111 | ]
112 | },
113 | "name": "links - 9"
114 | },
115 | {
116 | "type": 12,
117 | "content": {
118 | "version": "NotebookGroup/1.0",
119 | "groupType": "editable",
120 | "items": [
121 | {
122 | "type": 1,
123 | "content": {
124 | "json": "### Sign-ins over time"
125 | },
126 | "name": "text - 0"
127 | },
128 | {
129 | "type": 12,
130 | "content": {
131 | "version": "NotebookGroup/1.0",
132 | "groupType": "editable",
133 | "items": [
134 | {
135 | "type": 1,
136 | "content": {
137 | "json": "### Total unique active Guest Accounts"
138 | },
139 | "name": "text - 0"
140 | },
141 | {
142 | "type": 3,
143 | "content": {
144 | "version": "KqlItem/1.0",
145 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| summarize GuestCount = dcount(UserPrincipalName)",
146 | "size": 1,
147 | "timeContextFromParameter": "timerange",
148 | "exportToExcelOptions": "all",
149 | "queryType": 0,
150 | "resourceType": "microsoft.operationalinsights/workspaces",
151 | "visualization": "stat"
152 | },
153 | "name": "query - 1"
154 | }
155 | ]
156 | },
157 | "customWidth": "15",
158 | "conditionalVisibility": {
159 | "parameterName": "selTab",
160 | "comparison": "isEqualTo",
161 | "value": "overview"
162 | },
163 | "name": "group kql log - Copy",
164 | "styleSettings": {
165 | "maxWidth": "15%"
166 | }
167 | },
168 | {
169 | "type": 3,
170 | "content": {
171 | "version": "KqlItem/1.0",
172 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| summarize UserCount = dcount(UserPrincipalName), TotalSignInCount = count() by bin(TimeGenerated, 1d)\n| order by TimeGenerated asc\n| render timechart\n",
173 | "size": 0,
174 | "timeContextFromParameter": "timerange",
175 | "queryType": 0,
176 | "resourceType": "microsoft.operationalinsights/workspaces",
177 | "visualization": "linechart",
178 | "chartSettings": {
179 | "showDataPoints": true
180 | }
181 | },
182 | "customWidth": "80",
183 | "name": "query - 1"
184 | }
185 | ]
186 | },
187 | "conditionalVisibility": {
188 | "parameterName": "selTab",
189 | "comparison": "isEqualTo",
190 | "value": "overview"
191 | },
192 | "name": "group kql log - main"
193 | },
194 | {
195 | "type": 12,
196 | "content": {
197 | "version": "NotebookGroup/1.0",
198 | "groupType": "editable",
199 | "items": [
200 | {
201 | "type": 1,
202 | "content": {
203 | "json": "### Top Domains from Guests"
204 | },
205 | "name": "text - 0"
206 | },
207 | {
208 | "type": 3,
209 | "content": {
210 | "version": "KqlItem/1.0",
211 | "query": "SigninLogs\n| where UserType contains \"Guest\" \n| where isnotempty(UserPrincipalName)\n| extend Domain = tostring(split(UserPrincipalName, \"@\")[-1]) \n| summarize SignInCount = count() by Domain \n| order by SignInCount desc \n| take 50",
212 | "size": 1,
213 | "showAnalytics": true,
214 | "timeContextFromParameter": "timerange",
215 | "showExportToExcel": true,
216 | "queryType": 0,
217 | "resourceType": "microsoft.operationalinsights/workspaces",
218 | "mapSettings": {
219 | "locInfo": "CountryRegion",
220 | "locInfoColumn": "Country",
221 | "sizeSettings": "Count",
222 | "sizeAggregation": "Sum",
223 | "legendMetric": "Count",
224 | "legendAggregation": "Sum",
225 | "itemColorSettings": {
226 | "nodeColorField": "Count",
227 | "colorAggregation": "Sum",
228 | "type": "heatmap",
229 | "heatmapPalette": "greenRed"
230 | }
231 | }
232 | },
233 | "name": "query - 1 - Copy"
234 | },
235 | {
236 | "type": 1,
237 | "content": {
238 | "json": "### Recent Guest Invites"
239 | },
240 | "name": "text - 2"
241 | },
242 | {
243 | "type": 3,
244 | "content": {
245 | "version": "KqlItem/1.0",
246 | "query": "AuditLogs\n| where Category == \"UserManagement\" \n| where ActivityDisplayName == \"Invite external user\"\n| extend Initiator = tostring(parse_json(InitiatedBy).user.userPrincipalName) // Extracts inviter's UPN\n| mv-expand AdditionalDetails\n| where isnotempty(AdditionalDetails)\n| extend DetailKey = tostring(parse_json(AdditionalDetails).key), DetailValue = tostring(parse_json(AdditionalDetails).value)\n| where DetailKey == \"invitedUserEmailAddress\" // Extracts guest email\n| summarize EventTime = max(TimeGenerated), Initiators = tostring(make_set(Initiator)) by InvitedGuestEmail = DetailValue\n| extend Initiators = replace(@'[\\[\\]\"\\,]', \"\", Initiators) // Removes brackets, quotes, and commas\n| order by EventTime desc\n| take 100\n",
247 | "size": 1,
248 | "showAnalytics": true,
249 | "timeContextFromParameter": "timerange",
250 | "showExportToExcel": true,
251 | "queryType": 0,
252 | "resourceType": "microsoft.operationalinsights/workspaces"
253 | },
254 | "name": "query - 3"
255 | }
256 | ]
257 | },
258 | "conditionalVisibility": {
259 | "parameterName": "selTab",
260 | "comparison": "isEqualTo",
261 | "value": "overview"
262 | },
263 | "customWidth": "50",
264 | "name": "group kql log - Copy - Copy top - Copy",
265 | "styleSettings": {
266 | "maxWidth": "50%"
267 | }
268 | },
269 | {
270 | "type": 12,
271 | "content": {
272 | "version": "NotebookGroup/1.0",
273 | "groupType": "editable",
274 | "items": [
275 | {
276 | "type": 1,
277 | "content": {
278 | "json": "### Guest Sign-in Geolocation"
279 | },
280 | "name": "text - 0"
281 | },
282 | {
283 | "type": 3,
284 | "content": {
285 | "version": "KqlItem/1.0",
286 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n|extend ParseLocation = parse_json(LocationDetails)\n| extend Country = iff(ParseLocation.countryOrRegion == '', 'Unknown', tostring(ParseLocation.countryOrRegion))\n| extend City = iff(ParseLocation.city == '', 'Unknown', tostring(ParseLocation.city))\n| extend State = iff(ParseLocation.state == '', 'Unknown', tostring(ParseLocation.state))\n| extend GeoCoord = ParseLocation.geoCoordinates\n| extend ParseGeoCoord = parse_json(GeoCoord)\n| extend Latitude = ParseGeoCoord.latitude\n| extend Longitude = ParseGeoCoord.longitude\n| project UserDisplayName, Location, City, State, Country\n| summarize Count = count() by City, State, Country",
287 | "size": 0,
288 | "timeContextFromParameter": "timerange",
289 | "queryType": 0,
290 | "resourceType": "microsoft.operationalinsights/workspaces",
291 | "visualization": "map",
292 | "chartSettings": {
293 | "showMetrics": false
294 | },
295 | "mapSettings": {
296 | "locInfo": "CountryRegion",
297 | "locInfoColumn": "Country",
298 | "sizeSettings": "Count",
299 | "sizeAggregation": "Sum",
300 | "legendMetric": "Count",
301 | "legendAggregation": "Sum",
302 | "itemColorSettings": {
303 | "nodeColorField": "Count",
304 | "colorAggregation": "Sum",
305 | "type": "heatmap",
306 | "heatmapPalette": "greenRed"
307 | }
308 | }
309 | },
310 | "name": "query - 1"
311 | },
312 | {
313 | "type": 3,
314 | "content": {
315 | "version": "KqlItem/1.0",
316 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n|extend ParseLocation = parse_json(LocationDetails)\n| extend Country = iff(ParseLocation.countryOrRegion == '', 'Unknown', tostring(ParseLocation.countryOrRegion))\n| extend City = iff(ParseLocation.city == '', 'Unknown', tostring(ParseLocation.city))\n| extend State = iff(ParseLocation.state == '', 'Unknown', tostring(ParseLocation.state))\n| extend GeoCoord = ParseLocation.geoCoordinates\n| extend ParseGeoCoord = parse_json(GeoCoord)\n| extend Latitude = ParseGeoCoord.latitude\n| extend Longitude = ParseGeoCoord.longitude\n| project UserDisplayName, Location, City, State, Country\n| summarize Count = count() by City, State, Country",
317 | "size": 1,
318 | "showAnalytics": true,
319 | "timeContextFromParameter": "timerange",
320 | "showExportToExcel": true,
321 | "queryType": 0,
322 | "resourceType": "microsoft.operationalinsights/workspaces",
323 | "gridSettings": {
324 | "sortBy": [
325 | {
326 | "itemKey": "Count",
327 | "sortOrder": 2
328 | }
329 | ]
330 | },
331 | "sortBy": [
332 | {
333 | "itemKey": "Count",
334 | "sortOrder": 2
335 | }
336 | ]
337 | },
338 | "name": "query - 2"
339 | }
340 | ]
341 | },
342 | "conditionalVisibility": {
343 | "parameterName": "selTab",
344 | "comparison": "isEqualTo",
345 | "value": "overview"
346 | },
347 | "customWidth": "50",
348 | "name": "group kql log - Copy",
349 | "styleSettings": {
350 | "maxWidth": "45%"
351 | }
352 | },
353 | {
354 | "type": 12,
355 | "content": {
356 | "version": "NotebookGroup/1.0",
357 | "groupType": "editable",
358 | "items": [
359 | {
360 | "type": 1,
361 | "content": {
362 | "json": "### Sign-in failed Status"
363 | },
364 | "name": "text - 0"
365 | },
366 | {
367 | "type": 3,
368 | "content": {
369 | "version": "KqlItem/1.0",
370 | "query": "SigninLogs\n| where UserType contains \"Guest\" and ResultDescription != \"\"\n| summarize Count = count() by ResultDescription\n| order by Count desc\n| render piechart\n",
371 | "size": 3,
372 | "timeContextFromParameter": "timerange",
373 | "queryType": 0,
374 | "resourceType": "microsoft.operationalinsights/workspaces",
375 | "chartSettings": {
376 | "showMetrics": false,
377 | "seriesLabelSettings": [
378 | {
379 | "seriesName": "Access has been blocked due to conditional access policies.",
380 | "color": "redBright"
381 | },
382 | {
383 | "seriesName": "External security challenge was not satisfied.",
384 | "color": "orange"
385 | },
386 | {
387 | "seriesName": "Device Authentication Required - DeviceId -DeviceAltSecId claims are null OR no device corresponding to the device identifier exists.",
388 | "color": "yellow"
389 | },
390 | {
391 | "seriesName": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the tenant.",
392 | "color": "brown"
393 | },
394 | {
395 | "seriesName": "Other",
396 | "color": "gray"
397 | },
398 | {
399 | "seriesName": "Strong Authentication is required.",
400 | "color": "magenta"
401 | }
402 | ]
403 | }
404 | },
405 | "name": "query - 1"
406 | },
407 | {
408 | "type": 3,
409 | "content": {
410 | "version": "KqlItem/1.0",
411 | "query": "SigninLogs\n| where UserType contains \"Guest\" and ResultDescription != \"\"\n| summarize Count = count() by ResultDescription\n| order by Count desc\n",
412 | "size": 1,
413 | "showAnalytics": true,
414 | "timeContextFromParameter": "timerange",
415 | "showExportToExcel": true,
416 | "exportToExcelOptions": "all",
417 | "queryType": 0,
418 | "resourceType": "microsoft.operationalinsights/workspaces"
419 | },
420 | "name": "query - 1 - Copy"
421 | }
422 | ]
423 | },
424 | "conditionalVisibility": {
425 | "parameterName": "selTab",
426 | "comparison": "isEqualTo",
427 | "value": "overview"
428 | },
429 | "customWidth": "50",
430 | "name": "group kql log",
431 | "styleSettings": {
432 | "maxWidth": "40%"
433 | }
434 | },
435 | {
436 | "type": 12,
437 | "content": {
438 | "version": "NotebookGroup/1.0",
439 | "groupType": "editable",
440 | "items": [
441 | {
442 | "type": 1,
443 | "content": {
444 | "json": "### Target App accessed"
445 | },
446 | "name": "text - 0"
447 | },
448 | {
449 | "type": 3,
450 | "content": {
451 | "version": "KqlItem/1.0",
452 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| where isnotempty(AppDisplayName) // Stellt sicher, dass die Ziel-App vorhanden ist\n| summarize SignInCount = count() by AppDisplayName\n| order by SignInCount desc",
453 | "size": 3,
454 | "showAnalytics": true,
455 | "timeContextFromParameter": "timerange",
456 | "showExportToExcel": true,
457 | "queryType": 0,
458 | "resourceType": "microsoft.operationalinsights/workspaces",
459 | "visualization": "piechart",
460 | "mapSettings": {
461 | "locInfo": "CountryRegion",
462 | "locInfoColumn": "Country",
463 | "sizeSettings": "Count",
464 | "sizeAggregation": "Sum",
465 | "legendMetric": "Count",
466 | "legendAggregation": "Sum",
467 | "itemColorSettings": {
468 | "nodeColorField": "Count",
469 | "colorAggregation": "Sum",
470 | "type": "heatmap",
471 | "heatmapPalette": "greenRed"
472 | }
473 | }
474 | },
475 | "name": "query - 1 - Copy"
476 | },
477 | {
478 | "type": 1,
479 | "content": {
480 | "json": "### Top active Guest Identities"
481 | },
482 | "name": "text - 0 - Copy"
483 | },
484 | {
485 | "type": 3,
486 | "content": {
487 | "version": "KqlItem/1.0",
488 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| summarize Count = count() by UserPrincipalName\n| order by Count desc\n| render piechart\n",
489 | "size": 3,
490 | "showAnalytics": true,
491 | "timeContextFromParameter": "timerange",
492 | "showExportToExcel": true,
493 | "queryType": 0,
494 | "resourceType": "microsoft.operationalinsights/workspaces"
495 | },
496 | "name": "query - 1 - Copy"
497 | }
498 | ]
499 | },
500 | "conditionalVisibility": {
501 | "parameterName": "selTab",
502 | "comparison": "isEqualTo",
503 | "value": "overview"
504 | },
505 | "customWidth": "50",
506 | "name": "group kql log - Copy - Copy top",
507 | "styleSettings": {
508 | "maxWidth": "40%"
509 | }
510 | },
511 | {
512 | "type": 12,
513 | "content": {
514 | "version": "NotebookGroup/1.0",
515 | "groupType": "editable",
516 | "items": [
517 | {
518 | "type": 1,
519 | "content": {
520 | "json": "### Cross-Tenant Access Type"
521 | },
522 | "name": "text - 0"
523 | },
524 | {
525 | "type": 3,
526 | "content": {
527 | "version": "KqlItem/1.0",
528 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| summarize count() by CrossTenantAccessType\n| render piechart ",
529 | "size": 3,
530 | "showAnalytics": true,
531 | "timeContextFromParameter": "timerange",
532 | "showExportToExcel": true,
533 | "queryType": 0,
534 | "resourceType": "microsoft.operationalinsights/workspaces",
535 | "mapSettings": {
536 | "locInfo": "CountryRegion",
537 | "locInfoColumn": "Country",
538 | "sizeSettings": "Count",
539 | "sizeAggregation": "Sum",
540 | "legendMetric": "Count",
541 | "legendAggregation": "Sum",
542 | "itemColorSettings": {
543 | "nodeColorField": "Count",
544 | "colorAggregation": "Sum",
545 | "type": "heatmap",
546 | "heatmapPalette": "greenRed"
547 | }
548 | }
549 | },
550 | "name": "query - 1"
551 | }
552 | ]
553 | },
554 | "conditionalVisibility": {
555 | "parameterName": "selTab",
556 | "comparison": "isEqualTo",
557 | "value": "overview"
558 | },
559 | "customWidth": "50",
560 | "name": "group kql log - Copy - Copy",
561 | "styleSettings": {
562 | "maxWidth": "45%"
563 | }
564 | },
565 | {
566 | "type": 12,
567 | "content": {
568 | "version": "NotebookGroup/1.0",
569 | "groupType": "editable",
570 | "items": [
571 | {
572 | "type": 1,
573 | "content": {
574 | "json": "### Recent Sign-ins from Guests"
575 | },
576 | "name": "text - 0"
577 | },
578 | {
579 | "type": 3,
580 | "content": {
581 | "version": "KqlItem/1.0",
582 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| extend ErrorCode = tostring(Status.errorCode)\n| extend FailureReason = tostring(Status.failureReason)\n| project TimeGenerated, UserPrincipalName, AppDisplayName, Location, HomeTenantId, ErrorCode, FailureReason\n| order by TimeGenerated desc\n| take 100\n",
583 | "size": 0,
584 | "showAnalytics": true,
585 | "timeContextFromParameter": "timerange",
586 | "queryType": 0,
587 | "resourceType": "microsoft.operationalinsights/workspaces",
588 | "gridSettings": {
589 | "sortBy": [
590 | {
591 | "itemKey": "TimeGenerated",
592 | "sortOrder": 2
593 | }
594 | ]
595 | },
596 | "sortBy": [
597 | {
598 | "itemKey": "TimeGenerated",
599 | "sortOrder": 2
600 | }
601 | ]
602 | },
603 | "name": "query - 1"
604 | }
605 | ]
606 | },
607 | "conditionalVisibility": {
608 | "parameterName": "selTab",
609 | "comparison": "isEqualTo",
610 | "value": "overview"
611 | },
612 | "name": "group - 1"
613 | },
614 | {
615 | "type": 12,
616 | "content": {
617 | "version": "NotebookGroup/1.0",
618 | "groupType": "editable",
619 | "items": [
620 | {
621 | "type": 1,
622 | "content": {
623 | "json": "# Home Tenant IDs from Guests"
624 | },
625 | "name": "text - 0"
626 | },
627 | {
628 | "type": 3,
629 | "content": {
630 | "version": "KqlItem/1.0",
631 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| summarize SignInCount = count() by HomeTenantId\n| order by SignInCount desc\n",
632 | "size": 0,
633 | "timeContextFromParameter": "timerange",
634 | "showExportToExcel": true,
635 | "queryType": 0,
636 | "resourceType": "microsoft.operationalinsights/workspaces",
637 | "mapSettings": {
638 | "locInfo": "CountryRegion",
639 | "locInfoColumn": "Country",
640 | "sizeSettings": "Count",
641 | "sizeAggregation": "Sum",
642 | "legendMetric": "Count",
643 | "legendAggregation": "Sum",
644 | "itemColorSettings": {
645 | "nodeColorField": "Count",
646 | "colorAggregation": "Sum",
647 | "type": "heatmap",
648 | "heatmapPalette": "greenRed"
649 | }
650 | }
651 | },
652 | "name": "query - 1 - Copy"
653 | }
654 | ]
655 | },
656 | "conditionalVisibility": {
657 | "parameterName": "selTab",
658 | "comparison": "isEqualTo",
659 | "value": "origintenant"
660 | },
661 | "customWidth": "45",
662 | "name": "group kql log - Copy - Copy - Copy",
663 | "styleSettings": {
664 | "maxWidth": "40%"
665 | }
666 | },
667 | {
668 | "type": 12,
669 | "content": {
670 | "version": "NotebookGroup/1.0",
671 | "groupType": "editable",
672 | "items": [
673 | {
674 | "type": 1,
675 | "content": {
676 | "json": "# Tenant ID Lookup\nEnter a Tenant ID to lookup the domain name. (Relying on external website)",
677 | "style": "upsell"
678 | },
679 | "name": "text - 0"
680 | },
681 | {
682 | "type": 9,
683 | "content": {
684 | "version": "KqlParameterItem/1.0",
685 | "parameters": [
686 | {
687 | "id": "9880184f-4cd7-463e-93ea-15de0978e707",
688 | "version": "KqlParameterItem/1.0",
689 | "name": "TenantId",
690 | "label": "Enter a Tenant ID",
691 | "type": 1,
692 | "isRequired": true,
693 | "typeSettings": {
694 | "isSearchBox": true
695 | },
696 | "timeContext": {
697 | "durationMs": 86400000
698 | }
699 | }
700 | ],
701 | "style": "pills",
702 | "queryType": 0,
703 | "resourceType": "microsoft.operationalinsights/workspaces"
704 | },
705 | "customWidth": "100",
706 | "name": "parameters - 3",
707 | "styleSettings": {
708 | "maxWidth": "100%"
709 | }
710 | },
711 | {
712 | "type": 12,
713 | "content": {
714 | "version": "NotebookGroup/1.0",
715 | "groupType": "editable",
716 | "items": [
717 | {
718 | "type": 1,
719 | "content": {
720 | "json": "## [🔍 Tenant Lookup für {TenantId}](https://tenantidlookup.com/{TenantId})",
721 | "style": "info"
722 | },
723 | "name": "text - 0 - Copy"
724 | }
725 | ]
726 | },
727 | "customWidth": "50",
728 | "name": "group - 11"
729 | }
730 | ]
731 | },
732 | "conditionalVisibility": {
733 | "parameterName": "selTab",
734 | "comparison": "isEqualTo",
735 | "value": "origintenant"
736 | },
737 | "customWidth": "50",
738 | "name": "lookuptitle"
739 | },
740 | {
741 | "type": 12,
742 | "content": {
743 | "version": "NotebookGroup/1.0",
744 | "groupType": "editable",
745 | "items": [
746 | {
747 | "type": 9,
748 | "content": {
749 | "version": "KqlParameterItem/1.0",
750 | "parameters": [
751 | {
752 | "id": "d29c1c9f-1ac0-494b-aa49-c588907d90eb",
753 | "version": "KqlParameterItem/1.0",
754 | "name": "User",
755 | "type": 1,
756 | "timeContext": {
757 | "durationMs": 86400000
758 | },
759 | "value": ""
760 | },
761 | {
762 | "id": "0f4b98a0-20b7-4d1c-96db-0fa18eed9eda",
763 | "version": "KqlParameterItem/1.0",
764 | "name": "App",
765 | "type": 1,
766 | "timeContext": {
767 | "durationMs": 86400000
768 | },
769 | "value": ""
770 | }
771 | ],
772 | "style": "pills",
773 | "queryType": 0,
774 | "resourceType": "microsoft.operationalinsights/workspaces"
775 | },
776 | "name": "parameters - 0"
777 | },
778 | {
779 | "type": 12,
780 | "content": {
781 | "version": "NotebookGroup/1.0",
782 | "groupType": "editable",
783 | "items": [
784 | {
785 | "type": 1,
786 | "content": {
787 | "json": "## Recent User Sign-ins"
788 | },
789 | "name": "text - 0"
790 | },
791 | {
792 | "type": 3,
793 | "content": {
794 | "version": "KqlItem/1.0",
795 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| extend ErrorCode = tostring(Status.errorCode)\n| extend FailureReason = tostring(Status.failureReason)\n| project TimeGenerated, UserPrincipalName, AppDisplayName, Location, HomeTenantId, ErrorCode, FailureReason\n| order by TimeGenerated desc\n",
796 | "size": 0,
797 | "showAnalytics": true,
798 | "timeContextFromParameter": "timerange",
799 | "showExportToExcel": true,
800 | "queryType": 0,
801 | "resourceType": "microsoft.operationalinsights/workspaces"
802 | },
803 | "name": "query - 1"
804 | }
805 | ]
806 | },
807 | "name": "group - 1"
808 | },
809 | {
810 | "type": 12,
811 | "content": {
812 | "version": "NotebookGroup/1.0",
813 | "groupType": "editable",
814 | "items": [
815 | {
816 | "type": 1,
817 | "content": {
818 | "json": "### Last successful sign-in"
819 | },
820 | "name": "text - 0"
821 | },
822 | {
823 | "type": 3,
824 | "content": {
825 | "version": "KqlItem/1.0",
826 | "query": "SigninLogs\n| where UserPrincipalName contains \"{User}\"\n| where AppDisplayName contains \"{App}\"\n| where ResultType == 0 \n| summarize LastSuccessfulSignIn = max(TimeGenerated)\n",
827 | "size": 4,
828 | "timeContextFromParameter": "timerange",
829 | "queryType": 0,
830 | "resourceType": "microsoft.operationalinsights/workspaces",
831 | "visualization": "stat",
832 | "statSettings": {
833 | "valueField": "LastSuccessfulSignIn",
834 | "valueAggregation": "None",
835 | "colorSettings": {
836 | "type": "static",
837 | "mode": "background",
838 | "heatmapPalette": "greenRed",
839 | "thresholdsGrid": []
840 | },
841 | "iconSettings": {
842 | "thresholdsGrid": []
843 | },
844 | "tagText": "",
845 | "valueFontStyle": "small"
846 | },
847 | "mapSettings": {
848 | "locInfo": "LatLong"
849 | }
850 | },
851 | "name": "query - 2"
852 | }
853 | ]
854 | },
855 | "customWidth": "20",
856 | "name": "group - 3"
857 | },
858 | {
859 | "type": 12,
860 | "content": {
861 | "version": "NotebookGroup/1.0",
862 | "groupType": "editable",
863 | "items": [
864 | {
865 | "type": 1,
866 | "content": {
867 | "json": "### Most recent failed sign-ins"
868 | },
869 | "name": "text - 0"
870 | },
871 | {
872 | "type": 3,
873 | "content": {
874 | "version": "KqlItem/1.0",
875 | "query": "SigninLogs\n| where UserPrincipalName contains \"{User}\"\n| where AppDisplayName contains \"{App}\"\n| extend ErrorCode = iff(isnotempty(tostring(Status.errorCode)), tostring(Status.errorCode), \"0\")\n| extend FailureReason = iff(isnotempty(tostring(Status.failureReason)), tostring(Status.failureReason), \"None\")\n| where ErrorCode != \"0\"\n| project TimeGenerated, ErrorCode, FailureReason, UserPrincipalName, AppDisplayName, Location, HomeTenantId\n| order by TimeGenerated desc\n",
876 | "size": 0,
877 | "showAnalytics": true,
878 | "timeContext": {
879 | "durationMs": 86400000
880 | },
881 | "showExportToExcel": true,
882 | "queryType": 0,
883 | "resourceType": "microsoft.operationalinsights/workspaces"
884 | },
885 | "name": "query - 1"
886 | }
887 | ]
888 | },
889 | "customWidth": "80",
890 | "name": "group - 4"
891 | }
892 | ]
893 | },
894 | "conditionalVisibility": {
895 | "parameterName": "selTab",
896 | "comparison": "isEqualTo",
897 | "value": "search"
898 | },
899 | "name": "search"
900 | },
901 | {
902 | "type": 12,
903 | "content": {
904 | "version": "NotebookGroup/1.0",
905 | "groupType": "editable",
906 | "items": [
907 | {
908 | "type": 12,
909 | "content": {
910 | "version": "NotebookGroup/1.0",
911 | "groupType": "editable",
912 | "items": [
913 | {
914 | "type": 1,
915 | "content": {
916 | "json": "## Inactive Guest Accounts count since\nTimerange where no sign-in logs from Guest Accounts are found. Please specify the Inactivity timeframe below."
917 | },
918 | "name": "text - 0"
919 | },
920 | {
921 | "type": 1,
922 | "content": {
923 | "json": "Ensure that the Timerange and the available log data cover a period longer than the selected Inactivity parameter below.",
924 | "style": "warning"
925 | },
926 | "customWidth": "50",
927 | "name": "text - 4"
928 | },
929 | {
930 | "type": 9,
931 | "content": {
932 | "version": "KqlParameterItem/1.0",
933 | "parameters": [
934 | {
935 | "id": "24b88e94-ac25-40cc-899b-91501b72c420",
936 | "version": "KqlParameterItem/1.0",
937 | "name": "range",
938 | "label": "Inactivite since",
939 | "type": 2,
940 | "isGlobal": true,
941 | "typeSettings": {
942 | "additionalResourceOptions": [],
943 | "showDefault": false
944 | },
945 | "jsonData": "[\n { \"label\": \"Last 1 day\", \"value\": \"1d\" },\n { \"label\": \"Last 7 days\", \"value\": \"7d\" },\n { \"label\": \"Last 30 days\", \"value\": \"30d\", \"default\": true },\n { \"label\": \"Last 90 days\", \"value\": \"90d\" },\n { \"label\": \"Last 180 days\", \"value\": \"180d\" },\n { \"label\": \"Last 365 days\", \"value\": \"365d\" }\n]\n",
946 | "value": "7d"
947 | }
948 | ],
949 | "style": "pills",
950 | "queryType": 0,
951 | "resourceType": "microsoft.operationalinsights/workspaces"
952 | },
953 | "name": "parameter - range"
954 | },
955 | {
956 | "type": 12,
957 | "content": {
958 | "version": "NotebookGroup/1.0",
959 | "groupType": "editable",
960 | "items": [
961 | {
962 | "type": 1,
963 | "content": {
964 | "json": "## Count\nHow many Guest Accounts did not have a sign-in since Inactivity timeframe."
965 | },
966 | "name": "text - 1"
967 | },
968 | {
969 | "type": 3,
970 | "content": {
971 | "version": "KqlItem/1.0",
972 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| summarize LastSignIn = max(TimeGenerated) by UserPrincipalName\n| where LastSignIn <= ago({range})\n| summarize dcount(UserPrincipalName)\n",
973 | "size": 1,
974 | "timeContextFromParameter": "timerange",
975 | "queryType": 0,
976 | "resourceType": "microsoft.operationalinsights/workspaces",
977 | "visualization": "stat"
978 | },
979 | "name": "query - 1 - Copy"
980 | }
981 | ]
982 | },
983 | "customWidth": "15",
984 | "name": "count"
985 | },
986 | {
987 | "type": 3,
988 | "content": {
989 | "version": "KqlItem/1.0",
990 | "query": "SigninLogs\n| where UserType contains \"Guest\"\n| summarize LastSignIn = max(TimeGenerated) by UserPrincipalName\n| where LastSignIn <= ago({range})\n| project UserPrincipalName, LastSignIn\n| order by LastSignIn asc\n",
991 | "size": 4,
992 | "showAnalytics": true,
993 | "timeContextFromParameter": "timerange",
994 | "showExportToExcel": true,
995 | "queryType": 0,
996 | "resourceType": "microsoft.operationalinsights/workspaces"
997 | },
998 | "customWidth": "75",
999 | "name": "query - 1"
1000 | }
1001 | ]
1002 | },
1003 | "name": "group - 0"
1004 | }
1005 | ]
1006 | },
1007 | "conditionalVisibility": {
1008 | "parameterName": "selTab",
1009 | "comparison": "isEqualTo",
1010 | "value": "stale"
1011 | },
1012 | "name": "stale"
1013 | }
1014 | ],
1015 | "fallbackResourceIds": [
1016 | "/subscriptions/49623a5a-c45e-4381-ae75-f2b64c965a73/resourceGroups/rg-Log-ch/providers/Microsoft.OperationalInsights/workspaces/law-main-ch"
1017 | ],
1018 | "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
1019 | }
--------------------------------------------------------------------------------
/Entra Guest Account Discovery/readme.md:
--------------------------------------------------------------------------------
1 | # Entra ID Guest Account Discovery (Azure Workbook)
2 |
3 | This Azure Workbook helps organizations monitor and investigate **guest user activity** in Microsoft Entra ID.
4 | It provides a centralized, interactive view into guest sign-ins, tenant origins, and account lifecycle status – ideal for security, compliance, and identity governance teams.
5 |
6 | ---
7 |
8 | ## ✨ Features
9 |
10 | - 📊 **Real-time visibility** into guest sign-in activity across your environment
11 | - 🔍 **Flexible log analysis** powered by workbook parameters (e.g. time range)
12 | - 🏷️ **Tenant ID to domain resolution** for clearer guest origin identification
13 | - 🧭 **Advanced filtering and search tools** for guest account investigations
14 | - 🚨 **Detection of stale or inactive guest accounts** for improved security posture
15 | - 🔒 Supports **risk detection**, **access reviews**, and **identity hygiene**
16 |
17 | ---
18 |
19 | ## 📂 Workbook Sections
20 |
21 | - **Overview** – General insights and visualizations for guest sign-ins
22 | - **Origin Tenant Lookup** – Maps guest accounts to their home Tenants (domain resolution)
23 | - **Search** – Allows detailed lookup and filtering of guest sign-in events
24 | - **Stale Guest Account Discovery** – Highlights inactive or aging guest accounts for clean-up
25 |
26 | ---
27 |
28 | ## 📦 Requirements
29 |
30 | - **Log Analytics Workspace** connected to your Entra ID
31 | - Enabled **Sign-in Logs** diagnostic setting
32 | - Required table: `SigninLogs`
33 |
34 | ---
35 |
36 | 1. Clone this repository or copy the workbook JSON
37 | 2. Open **Log Analytics Workspace -> Monitor -> Workbooks**, open the json editor view () and paste the JSON file content
38 | 4. Adjust parameters to explore the data dynamically.
39 |
--------------------------------------------------------------------------------
/Global Secure Access Unified Dashboard/Global Secure Access Unified Dashboard.workbook:
--------------------------------------------------------------------------------
1 | {
2 | "version": "Notebook/1.0",
3 | "items": [
4 | {
5 | "type": 1,
6 | "content": {
7 | "json": "# Global Secure Access Unified Dashboard\nThis dashboard provides a centralized view of GSA (Global Secure Access) traffic across multiple channels, including Private Access, Internet, and Microsoft 365. It features interactive charts, destination insights, and source-origin data, enabling real-time monitoring, analysis, and statistics. Designed for visibility and control, it helps identify trends, usage patterns, and security-relevant activity across your organization’s network traffic flows. -Version 1.0\n\nPowered by oceanleaf.ch 🌱"
8 | },
9 | "customWidth": "70",
10 | "name": "text - 0"
11 | },
12 | {
13 | "type": 18,
14 | "content": {
15 | "version": "ImageItem/1.0",
16 | "imageUrl": "https://www.oceanleaf.ch/content/images/size/w1000/2025/04/oceanleaf.png",
17 | "size": 4,
18 | "title": "",
19 | "altText": "Oceanleaf"
20 | },
21 | "customWidth": "15",
22 | "name": "image - 1"
23 | },
24 | {
25 | "type": 9,
26 | "content": {
27 | "version": "KqlParameterItem/1.0",
28 | "parameters": [
29 | {
30 | "id": "d88b5613-6073-4320-bd0c-3ac9ce5985d2",
31 | "version": "KqlParameterItem/1.0",
32 | "name": "timerange",
33 | "label": "Timerange",
34 | "type": 4,
35 | "isGlobal": true,
36 | "typeSettings": {
37 | "selectableValues": [
38 | {
39 | "durationMs": 300000
40 | },
41 | {
42 | "durationMs": 1800000
43 | },
44 | {
45 | "durationMs": 3600000
46 | },
47 | {
48 | "durationMs": 86400000
49 | },
50 | {
51 | "durationMs": 172800000
52 | },
53 | {
54 | "durationMs": 604800000
55 | },
56 | {
57 | "durationMs": 1209600000
58 | },
59 | {
60 | "durationMs": 2592000000
61 | },
62 | {
63 | "durationMs": 5184000000
64 | },
65 | {
66 | "durationMs": 7776000000
67 | }
68 | ],
69 | "allowCustom": true
70 | },
71 | "timeContext": {
72 | "durationMs": 86400000
73 | },
74 | "value": {
75 | "durationMs": 7776000000
76 | }
77 | },
78 | {
79 | "id": "d8e394e4-1841-4dcc-9073-2ab95cb778f8",
80 | "version": "KqlParameterItem/1.0",
81 | "name": "channel",
82 | "label": "Traffic Channel",
83 | "type": 2,
84 | "description": "Select Traffic Channel",
85 | "isGlobal": true,
86 | "typeSettings": {
87 | "additionalResourceOptions": [],
88 | "showDefault": false
89 | },
90 | "jsonData": "[\n { \"value\":\"\", \"label\":\"All\", \"selected\":true},\n { \"value\":\"internet\", \"label\":\"Internet Access\"},\n { \"value\":\"private\", \"label\":\"Private Access\" },\n {\"value\":\"microsoft365\", \"label\":\"Microsoft 365\" }\n]",
91 | "timeContext": {
92 | "durationMs": 86400000
93 | }
94 | }
95 | ],
96 | "style": "pills",
97 | "queryType": 0,
98 | "resourceType": "microsoft.operationalinsights/workspaces"
99 | },
100 | "name": "parameters - 5"
101 | },
102 | {
103 | "type": 12,
104 | "content": {
105 | "version": "NotebookGroup/1.0",
106 | "groupType": "editable",
107 | "items": [
108 | {
109 | "type": 3,
110 | "content": {
111 | "version": "KqlItem/1.0",
112 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action == \"Allow\"\n| summarize count()",
113 | "size": 4,
114 | "title": "Allowed connections",
115 | "timeContextFromParameter": "timerange",
116 | "queryType": 0,
117 | "resourceType": "microsoft.operationalinsights/workspaces",
118 | "visualization": "stat",
119 | "tileSettings": {
120 | "showBorder": false
121 | },
122 | "statSettings": {
123 | "valueAggregation": "None",
124 | "colorSettings": {
125 | "type": "static",
126 | "mode": "background",
127 | "heatmapPalette": "greenRed",
128 | "thresholdsGrid": []
129 | },
130 | "iconSettings": {
131 | "thresholdsGrid": [
132 | {
133 | "sourceColumn": "count_",
134 | "operator": ">",
135 | "thresholdValue": "0",
136 | "representation": "success"
137 | }
138 | ]
139 | },
140 | "tagText": "",
141 | "valueFontStyle": "auto"
142 | }
143 | },
144 | "customWidth": "20",
145 | "name": "query - 0"
146 | },
147 | {
148 | "type": 3,
149 | "content": {
150 | "version": "KqlItem/1.0",
151 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action == \"Block\"\n| summarize count()",
152 | "size": 4,
153 | "title": "Blocked connections",
154 | "timeContextFromParameter": "timerange",
155 | "queryType": 0,
156 | "resourceType": "microsoft.operationalinsights/workspaces",
157 | "visualization": "stat",
158 | "tileSettings": {
159 | "showBorder": false
160 | },
161 | "statSettings": {
162 | "valueAggregation": "None",
163 | "colorSettings": {
164 | "type": "static",
165 | "mode": "background",
166 | "heatmapPalette": "greenRed",
167 | "thresholdsGrid": []
168 | },
169 | "iconSettings": {
170 | "thresholdsGrid": [
171 | {
172 | "sourceColumn": "count_",
173 | "operator": ">",
174 | "thresholdValue": "0",
175 | "representation": "critical"
176 | }
177 | ]
178 | },
179 | "tagText": "",
180 | "valueFontStyle": "auto"
181 | }
182 | },
183 | "customWidth": "20",
184 | "name": "query - 0 - Copy"
185 | },
186 | {
187 | "type": 3,
188 | "content": {
189 | "version": "KqlItem/1.0",
190 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| summarize ['Total Sent'] = strcat(round(sum(SentBytes) / 1024.0 / 1024.0 / 1024.0, 2), \" GB\")\n",
191 | "size": 4,
192 | "title": "Sent Traffic",
193 | "timeContextFromParameter": "timerange",
194 | "queryType": 0,
195 | "resourceType": "microsoft.operationalinsights/workspaces",
196 | "visualization": "stat",
197 | "tileSettings": {
198 | "showBorder": false
199 | },
200 | "statSettings": {
201 | "valueAggregation": "None",
202 | "colorSettings": {
203 | "type": "static",
204 | "mode": "background",
205 | "heatmapPalette": "greenRed",
206 | "thresholdsGrid": []
207 | },
208 | "iconSettings": {
209 | "thresholdsGrid": [
210 | {
211 | "operator": "contains",
212 | "thresholdValue": ".",
213 | "representation": "up"
214 | }
215 | ]
216 | },
217 | "tagText": "",
218 | "valueFontStyle": "auto"
219 | }
220 | },
221 | "customWidth": "15",
222 | "name": "query - 0 - Copy - Copy"
223 | },
224 | {
225 | "type": 3,
226 | "content": {
227 | "version": "KqlItem/1.0",
228 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| summarize ['Total Sent'] = strcat(round(sum(ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2), \" GB\")\n",
229 | "size": 4,
230 | "title": "Received Traffic",
231 | "timeContextFromParameter": "timerange",
232 | "queryType": 0,
233 | "resourceType": "microsoft.operationalinsights/workspaces",
234 | "visualization": "stat",
235 | "tileSettings": {
236 | "showBorder": false
237 | },
238 | "statSettings": {
239 | "valueAggregation": "None",
240 | "colorSettings": {
241 | "type": "static",
242 | "mode": "background",
243 | "heatmapPalette": "greenRed",
244 | "thresholdsGrid": []
245 | },
246 | "iconSettings": {
247 | "thresholdsGrid": [
248 | {
249 | "operator": "contains",
250 | "thresholdValue": ".",
251 | "representation": "down"
252 | }
253 | ]
254 | },
255 | "tagText": "",
256 | "valueFontStyle": "auto"
257 | }
258 | },
259 | "customWidth": "15",
260 | "name": "query - 0 - Copy - Copy - Copy"
261 | },
262 | {
263 | "type": 3,
264 | "content": {
265 | "version": "KqlItem/1.0",
266 | "query": "NetworkAccessTraffic\n| summarize count() by TrafficType",
267 | "size": 1,
268 | "title": "Channel Traffic Distribution",
269 | "timeContextFromParameter": "timerange",
270 | "queryType": 0,
271 | "resourceType": "microsoft.operationalinsights/workspaces",
272 | "visualization": "piechart",
273 | "chartSettings": {
274 | "seriesLabelSettings": [
275 | {
276 | "seriesName": "internet",
277 | "color": "blue"
278 | },
279 | {
280 | "seriesName": "microsoft365",
281 | "color": "yellow"
282 | },
283 | {
284 | "seriesName": "private",
285 | "color": "amethyst"
286 | }
287 | ]
288 | }
289 | },
290 | "customWidth": "30",
291 | "name": "query - 3"
292 | },
293 | {
294 | "type": 3,
295 | "content": {
296 | "version": "KqlItem/1.0",
297 | "query": "let TrafficByDay = \n NetworkAccessTraffic\n | where TrafficType contains \"{channel}\"\n | extend TotalBytes = SentBytes + ReceivedBytes\n | summarize Traffic_GB = round(sum(TotalBytes) / 1024.0 / 1024.0 / 1024.0, 2) by bin(TimeGenerated, 1d);\n\nlet ActiveUsersByDay = \n NetworkAccessTraffic\n | where TrafficType contains \"{channel}\"\n | summarize ActiveUsers = dcount(UserPrincipalName) by bin(TimeGenerated, 1d);\n\nlet ActiveDevicesByDay = \n NetworkAccessTraffic\n | where TrafficType contains \"{channel}\"\n | summarize ActiveDevices = dcount(DeviceId) by bin(TimeGenerated, 1d);\n\n// Join für kombinierten Time Chart\nTrafficByDay\n| join kind=inner ActiveUsersByDay on TimeGenerated\n| join kind=inner ActiveDevicesByDay on TimeGenerated\n| order by TimeGenerated asc\n",
298 | "size": 0,
299 | "aggregation": 3,
300 | "title": "Activity Time Chart",
301 | "noDataMessageStyle": 3,
302 | "timeContextFromParameter": "timerange",
303 | "queryType": 0,
304 | "resourceType": "microsoft.operationalinsights/workspaces",
305 | "visualization": "timechart",
306 | "tileSettings": {
307 | "showBorder": false
308 | },
309 | "chartSettings": {
310 | "showLegend": true
311 | }
312 | },
313 | "customWidth": "80",
314 | "name": "query - 5"
315 | },
316 | {
317 | "type": 12,
318 | "content": {
319 | "version": "NotebookGroup/1.0",
320 | "groupType": "editable",
321 | "items": [
322 | {
323 | "type": 3,
324 | "content": {
325 | "version": "KqlItem/1.0",
326 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| summarize UniqueUserCount = dcount(UserPrincipalName)\n",
327 | "size": 4,
328 | "title": "Unique Active Users",
329 | "timeContextFromParameter": "timerange",
330 | "queryType": 0,
331 | "resourceType": "microsoft.operationalinsights/workspaces",
332 | "visualization": "stat",
333 | "tileSettings": {
334 | "showBorder": false
335 | },
336 | "statSettings": {
337 | "valueAggregation": "None",
338 | "colorSettings": {
339 | "type": "static",
340 | "mode": "background",
341 | "heatmapPalette": "greenRed",
342 | "thresholdsGrid": []
343 | },
344 | "iconSettings": {
345 | "thresholdsGrid": [
346 | {
347 | "operator": ">",
348 | "thresholdValue": "0",
349 | "representation": "Person"
350 | }
351 | ]
352 | },
353 | "tagText": "",
354 | "valueFontStyle": "auto"
355 | }
356 | },
357 | "name": "query - 0 - Copy - Copy - Copy - Copy"
358 | },
359 | {
360 | "type": 3,
361 | "content": {
362 | "version": "KqlItem/1.0",
363 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| summarize UniqueDeviceCount = dcount(DeviceId)\n",
364 | "size": 4,
365 | "title": "Unique Active Devices",
366 | "timeContextFromParameter": "timerange",
367 | "queryType": 0,
368 | "resourceType": "microsoft.operationalinsights/workspaces",
369 | "visualization": "stat",
370 | "tileSettings": {
371 | "showBorder": false
372 | },
373 | "statSettings": {
374 | "valueAggregation": "None",
375 | "colorSettings": {
376 | "type": "static",
377 | "mode": "background",
378 | "heatmapPalette": "greenRed",
379 | "thresholdsGrid": []
380 | },
381 | "iconSettings": {
382 | "thresholdsGrid": [
383 | {
384 | "operator": ">",
385 | "thresholdValue": "0",
386 | "representation": "Initial_Access"
387 | }
388 | ]
389 | },
390 | "tagText": "",
391 | "valueFontStyle": "auto"
392 | }
393 | },
394 | "name": "query - 0 - Copy - Copy - Copy - Copy - Copy"
395 | }
396 | ]
397 | },
398 | "customWidth": "15",
399 | "name": "chartstats"
400 | },
401 | {
402 | "type": 1,
403 | "content": {
404 | "json": "---"
405 | },
406 | "name": "text - 8"
407 | },
408 | {
409 | "type": 9,
410 | "content": {
411 | "version": "KqlParameterItem/1.0",
412 | "parameters": [
413 | {
414 | "id": "cd123f4c-d643-430c-b0d6-bda19d7ee738",
415 | "version": "KqlParameterItem/1.0",
416 | "name": "action",
417 | "label": "Allowed/Blocked",
418 | "type": 2,
419 | "description": "Filter if traffic was allowed/blocked",
420 | "isGlobal": true,
421 | "typeSettings": {
422 | "additionalResourceOptions": [],
423 | "showDefault": false
424 | },
425 | "jsonData": "[\n { \"value\":\"\", \"label\":\"All\", \"selected\":true},\n { \"value\":\"Allow\", \"label\":\"Allowed\"},\n { \"value\":\"Block\", \"label\":\"Blocked\" }\n]",
426 | "timeContext": {
427 | "durationMs": 86400000
428 | }
429 | }
430 | ],
431 | "style": "pills",
432 | "queryType": 0,
433 | "resourceType": "microsoft.operationalinsights/workspaces"
434 | },
435 | "name": "parameters - 6"
436 | },
437 | {
438 | "type": 12,
439 | "content": {
440 | "version": "NotebookGroup/1.0",
441 | "groupType": "editable",
442 | "items": [
443 | {
444 | "type": 1,
445 | "content": {
446 | "json": "# Destination\nDetails for destination of GSA connected clients.\nSome stats require identification by the service and may not be completely accurate."
447 | },
448 | "customWidth": "15",
449 | "name": "text - 0"
450 | },
451 | {
452 | "type": 3,
453 | "content": {
454 | "version": "KqlItem/1.0",
455 | "query": "NetworkAccessTraffic\n| where Action contains \"{action}\"\n| where isnotempty(CloudAppName)\n| summarize UniqueCloudApps = dcount(CloudAppName)\n",
456 | "size": 4,
457 | "title": "Unique Cloud Apps",
458 | "timeContextFromParameter": "timerange",
459 | "queryType": 0,
460 | "resourceType": "microsoft.operationalinsights/workspaces",
461 | "visualization": "stat",
462 | "statSettings": {
463 | "valueAggregation": "None",
464 | "colorSettings": {
465 | "type": "static",
466 | "mode": "background",
467 | "heatmapPalette": "greenRed",
468 | "thresholdsGrid": []
469 | },
470 | "iconSettings": {
471 | "thresholdsGrid": [
472 | {
473 | "operator": ">",
474 | "thresholdValue": "0",
475 | "representation": "Globe"
476 | }
477 | ]
478 | },
479 | "tagText": "",
480 | "valueFontStyle": "auto"
481 | }
482 | },
483 | "customWidth": "20",
484 | "name": "query - 2"
485 | },
486 | {
487 | "type": 3,
488 | "content": {
489 | "version": "KqlItem/1.0",
490 | "query": "NetworkAccessTraffic\n| where Action contains \"{action}\"\n| summarize dcount(CloudAppCategory)\n",
491 | "size": 4,
492 | "title": "Unique Cloud App Categories",
493 | "timeContextFromParameter": "timerange",
494 | "queryType": 0,
495 | "resourceType": "microsoft.operationalinsights/workspaces",
496 | "visualization": "stat",
497 | "statSettings": {
498 | "valueAggregation": "None",
499 | "colorSettings": {
500 | "type": "static",
501 | "mode": "background",
502 | "heatmapPalette": "greenRed",
503 | "thresholdsGrid": []
504 | },
505 | "iconSettings": {
506 | "thresholdsGrid": [
507 | {
508 | "operator": ">",
509 | "thresholdValue": "0",
510 | "representation": "ResourceFlat"
511 | }
512 | ]
513 | },
514 | "tagText": "",
515 | "valueFontStyle": "auto"
516 | }
517 | },
518 | "customWidth": "20",
519 | "name": "query - 2 - Copy"
520 | },
521 | {
522 | "type": 3,
523 | "content": {
524 | "version": "KqlItem/1.0",
525 | "query": "NetworkAccessTraffic\n| where Action contains \"{action}\"\n| where isnotnull(CloudAppGeneralScore)\n| summarize AvgCloudAppScore = round(avg(CloudAppGeneralScore), 2)\n",
526 | "size": 4,
527 | "title": "Average Cloud App Score",
528 | "timeContextFromParameter": "timerange",
529 | "queryType": 0,
530 | "resourceType": "microsoft.operationalinsights/workspaces",
531 | "visualization": "stat",
532 | "statSettings": {
533 | "valueAggregation": "None",
534 | "colorSettings": {
535 | "type": "static",
536 | "mode": "background",
537 | "heatmapPalette": "greenRed",
538 | "thresholdsGrid": []
539 | },
540 | "iconSettings": {
541 | "thresholdsGrid": [
542 | {
543 | "operator": ">",
544 | "thresholdValue": "0",
545 | "representation": "1"
546 | }
547 | ]
548 | },
549 | "tagText": "",
550 | "valueFontStyle": "auto"
551 | }
552 | },
553 | "customWidth": "20",
554 | "name": "query - 2 - Copy - Copy"
555 | },
556 | {
557 | "type": 3,
558 | "content": {
559 | "version": "KqlItem/1.0",
560 | "query": "NetworkAccessTraffic\n| where Action contains \"{action}\"\n| where isnotnull(CloudAppRiskScore)\n| summarize AvgCloudAppScore = round(avg(CloudAppRiskScore), 2)\n",
561 | "size": 4,
562 | "title": "Average Cloud App Score",
563 | "noDataMessage": "Higher is better / less risky",
564 | "timeContextFromParameter": "timerange",
565 | "queryType": 0,
566 | "resourceType": "microsoft.operationalinsights/workspaces",
567 | "visualization": "stat",
568 | "statSettings": {
569 | "valueAggregation": "None",
570 | "colorSettings": {
571 | "type": "static",
572 | "mode": "background",
573 | "heatmapPalette": "greenRed",
574 | "thresholdsGrid": []
575 | },
576 | "iconSettings": {
577 | "thresholdsGrid": [
578 | {
579 | "operator": ">",
580 | "thresholdValue": "0",
581 | "representation": "2"
582 | }
583 | ]
584 | },
585 | "tagText": "",
586 | "valueFontStyle": "auto"
587 | }
588 | },
589 | "customWidth": "20",
590 | "name": "query - 2 - Copy - Copy - Copy"
591 | },
592 | {
593 | "type": 12,
594 | "content": {
595 | "version": "NotebookGroup/1.0",
596 | "groupType": "editable",
597 | "items": [
598 | {
599 | "type": 3,
600 | "content": {
601 | "version": "KqlItem/1.0",
602 | "query": "NetworkAccessTraffic\n| where Action contains \"{action}\"\n| where CloudAppName != \"\"\n| summarize Count = count() by CloudAppName\n| order by Count desc\n",
603 | "size": 3,
604 | "title": "Cloud Apps",
605 | "timeContextFromParameter": "timerange",
606 | "queryType": 0,
607 | "resourceType": "microsoft.operationalinsights/workspaces",
608 | "visualization": "piechart"
609 | },
610 | "customWidth": "40",
611 | "name": "query - 1"
612 | },
613 | {
614 | "type": 3,
615 | "content": {
616 | "version": "KqlItem/1.0",
617 | "query": "NetworkAccessTraffic\n| where Action contains \"{action}\"\n| where DestinationWebCategories != \"\"\n| summarize Count = count() by DestinationWebCategories\n| order by Count desc\n",
618 | "size": 3,
619 | "title": "Cloud App Categories",
620 | "timeContextFromParameter": "timerange",
621 | "queryType": 0,
622 | "resourceType": "microsoft.operationalinsights/workspaces",
623 | "visualization": "piechart"
624 | },
625 | "customWidth": "45",
626 | "name": "query - 1 - Copy"
627 | },
628 | {
629 | "type": 3,
630 | "content": {
631 | "version": "KqlItem/1.0",
632 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(CloudAppName)\n| summarize \n TotalSentBytesGB = round(sum(SentBytes) / 1024.0 / 1024.0 / 1024.0, 2),\n TotalReceivedBytesGB = round(sum(ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2),\n TotalTrafficGB = round(sum(SentBytes + ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2)\n by CloudAppName\n| order by TotalTrafficGB desc\n| take 100\n",
633 | "size": 0,
634 | "title": "Cloud Apps by Traffic",
635 | "timeContextFromParameter": "timerange",
636 | "queryType": 0,
637 | "resourceType": "microsoft.operationalinsights/workspaces"
638 | },
639 | "customWidth": "90",
640 | "name": "query - 1 - Copy"
641 | }
642 | ]
643 | },
644 | "name": "deststats"
645 | }
646 | ]
647 | },
648 | "conditionalVisibilities": [
649 | {
650 | "parameterName": "channel",
651 | "comparison": "isNotEqualTo",
652 | "value": "private"
653 | },
654 | {
655 | "parameterName": "channel",
656 | "comparison": "isNotEqualTo",
657 | "value": "microsoft365"
658 | }
659 | ],
660 | "name": "internetdestinationdetails"
661 | },
662 | {
663 | "type": 12,
664 | "content": {
665 | "version": "NotebookGroup/1.0",
666 | "groupType": "editable",
667 | "items": [
668 | {
669 | "type": 1,
670 | "content": {
671 | "json": "# Private Destination\n"
672 | },
673 | "customWidth": "20",
674 | "name": "text - 0"
675 | },
676 | {
677 | "type": 3,
678 | "content": {
679 | "version": "KqlItem/1.0",
680 | "query": "NetworkAccessTraffic\n| where TrafficType == \"private\" and isnotempty(DestinationIp)\n| where Action contains \"{action}\"\n| summarize UniqueDestinationIps = dcount(DestinationIp)\n",
681 | "size": 4,
682 | "title": "Unique IPs / Ressources",
683 | "timeContextFromParameter": "timerange",
684 | "queryType": 0,
685 | "resourceType": "microsoft.operationalinsights/workspaces",
686 | "visualization": "stat",
687 | "statSettings": {
688 | "valueAggregation": "None",
689 | "colorSettings": {
690 | "type": "static",
691 | "mode": "background",
692 | "heatmapPalette": "greenRed",
693 | "thresholdsGrid": []
694 | },
695 | "iconSettings": {
696 | "thresholdsGrid": [
697 | {
698 | "operator": ">",
699 | "thresholdValue": "0",
700 | "representation": "Star"
701 | }
702 | ]
703 | },
704 | "tagText": "",
705 | "valueFontStyle": "auto"
706 | }
707 | },
708 | "customWidth": "15",
709 | "name": "query - 1"
710 | },
711 | {
712 | "type": 3,
713 | "content": {
714 | "version": "KqlItem/1.0",
715 | "query": "NetworkAccessTraffic\n| where TrafficType == \"private\"\n| where Action contains \"{action}\"\n| where isnotempty(ConnectorName)\n| summarize UniqueConnectorNames = dcount(ConnectorName)\n",
716 | "size": 4,
717 | "title": "Count of Connectors",
718 | "timeContextFromParameter": "timerange",
719 | "queryType": 0,
720 | "resourceType": "microsoft.operationalinsights/workspaces",
721 | "visualization": "stat",
722 | "statSettings": {
723 | "valueAggregation": "None",
724 | "colorSettings": {
725 | "type": "static",
726 | "mode": "background",
727 | "heatmapPalette": "greenRed",
728 | "thresholdsGrid": []
729 | },
730 | "iconSettings": {
731 | "thresholdsGrid": [
732 | {
733 | "operator": ">",
734 | "thresholdValue": "0",
735 | "representation": "Retain"
736 | }
737 | ]
738 | },
739 | "tagText": "",
740 | "valueFontStyle": "auto"
741 | }
742 | },
743 | "customWidth": "15",
744 | "name": "query - 1 - Copy"
745 | },
746 | {
747 | "type": 12,
748 | "content": {
749 | "version": "NotebookGroup/1.0",
750 | "groupType": "editable",
751 | "items": [
752 | {
753 | "type": 3,
754 | "content": {
755 | "version": "KqlItem/1.0",
756 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(AppId)\n| summarize \n Count = count(),\n TotalTrafficGB = round(sum(SentBytes + ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2)\n by AppId\n| order by TotalTrafficGB desc\n",
757 | "size": 0,
758 | "title": "Top AppIDs by Traffic",
759 | "timeContextFromParameter": "timerange",
760 | "queryType": 0,
761 | "resourceType": "microsoft.operationalinsights/workspaces"
762 | },
763 | "customWidth": "33",
764 | "name": "query - 2"
765 | },
766 | {
767 | "type": 3,
768 | "content": {
769 | "version": "KqlItem/1.0",
770 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(ConnectorName)\n| summarize \n Count = count(),\n TotalTrafficGB = round(sum(SentBytes + ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2)\n by ConnectorName\n| order by TotalTrafficGB desc\n",
771 | "size": 3,
772 | "title": "Top Connectors by Traffic",
773 | "timeContextFromParameter": "timerange",
774 | "queryType": 0,
775 | "resourceType": "microsoft.operationalinsights/workspaces",
776 | "visualization": "piechart"
777 | },
778 | "customWidth": "33",
779 | "name": "query - 2 - Copy"
780 | },
781 | {
782 | "type": 3,
783 | "content": {
784 | "version": "KqlItem/1.0",
785 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(ProcessingRegion)\n| summarize \n Count = count(),\n TotalTrafficGB = round(sum(SentBytes + ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2)\n by ProcessingRegion\n| order by TotalTrafficGB desc\n",
786 | "size": 3,
787 | "title": "Top Processing Regions by Traffic",
788 | "timeContextFromParameter": "timerange",
789 | "queryType": 0,
790 | "resourceType": "microsoft.operationalinsights/workspaces",
791 | "visualization": "piechart"
792 | },
793 | "customWidth": "33",
794 | "name": "query - 2 - Copy - Copy"
795 | }
796 | ]
797 | },
798 | "name": "privatstats"
799 | }
800 | ]
801 | },
802 | "conditionalVisibility": {
803 | "parameterName": "channel",
804 | "comparison": "isEqualTo",
805 | "value": "private"
806 | },
807 | "name": "privatedestinationdetails"
808 | },
809 | {
810 | "type": 12,
811 | "content": {
812 | "version": "NotebookGroup/1.0",
813 | "groupType": "editable",
814 | "items": [
815 | {
816 | "type": 3,
817 | "content": {
818 | "version": "KqlItem/1.0",
819 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(DestinationFqdn)\n| summarize \n Count = count(),\n TotalTrafficGB = round(sum(SentBytes + ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2)\n by DestinationFqdn\n| order by TotalTrafficGB desc\n| take 100\n",
820 | "size": 0,
821 | "title": "Top destination FQDNs",
822 | "timeContextFromParameter": "timerange",
823 | "queryType": 0,
824 | "resourceType": "microsoft.operationalinsights/workspaces"
825 | },
826 | "customWidth": "55",
827 | "name": "query - 1 - Copy - Copy"
828 | },
829 | {
830 | "type": 3,
831 | "content": {
832 | "version": "KqlItem/1.0",
833 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(DestinationIp)\n| summarize \n Count = count(),\n TotalTrafficGB = round(sum(SentBytes + ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2)\n by DestinationIp\n| order by TotalTrafficGB desc\n| take 100\n",
834 | "size": 0,
835 | "title": "Top destination IPs",
836 | "timeContextFromParameter": "timerange",
837 | "queryType": 0,
838 | "resourceType": "microsoft.operationalinsights/workspaces"
839 | },
840 | "customWidth": "25",
841 | "name": "query - 1 - Copy - Copy - Copy"
842 | },
843 | {
844 | "type": 3,
845 | "content": {
846 | "version": "KqlItem/1.0",
847 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(DestinationIp)\n| summarize \n Count = count(),\n TotalTrafficGB = round(sum(SentBytes + ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2)\n by DestinationPort\n| order by TotalTrafficGB desc\n| take 100\n",
848 | "size": 0,
849 | "title": "Top destination Ports",
850 | "timeContextFromParameter": "timerange",
851 | "queryType": 0,
852 | "resourceType": "microsoft.operationalinsights/workspaces"
853 | },
854 | "customWidth": "20",
855 | "name": "query - 1 - Copy - Copy - Copy - Copy"
856 | }
857 | ]
858 | },
859 | "name": "destinationdata"
860 | },
861 | {
862 | "type": 1,
863 | "content": {
864 | "json": "---"
865 | },
866 | "name": "text - 9"
867 | },
868 | {
869 | "type": 12,
870 | "content": {
871 | "version": "NotebookGroup/1.0",
872 | "groupType": "editable",
873 | "items": [
874 | {
875 | "type": 1,
876 | "content": {
877 | "json": "# Source\nDetails about the source origin of the traffic."
878 | },
879 | "customWidth": "25",
880 | "name": "text - 0"
881 | },
882 | {
883 | "type": 12,
884 | "content": {
885 | "version": "NotebookGroup/1.0",
886 | "groupType": "editable",
887 | "items": [
888 | {
889 | "type": 3,
890 | "content": {
891 | "version": "KqlItem/1.0",
892 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(DeviceOperatingSystem) and isnotempty(DeviceId)\n| summarize UniqueDevices = dcount(DeviceId) by DeviceOperatingSystem\n| order by UniqueDevices desc\n",
893 | "size": 0,
894 | "title": "Device Operating Systems",
895 | "timeContextFromParameter": "timerange",
896 | "queryType": 0,
897 | "resourceType": "microsoft.operationalinsights/workspaces",
898 | "visualization": "categoricalbar",
899 | "chartSettings": {
900 | "seriesLabelSettings": [
901 | {
902 | "seriesName": "MacOS-Darwin-arm64",
903 | "color": "purpleDark"
904 | },
905 | {
906 | "seriesName": "Windows 11 Enterprise",
907 | "color": "blue"
908 | }
909 | ]
910 | }
911 | },
912 | "customWidth": "25",
913 | "name": "query - 0"
914 | },
915 | {
916 | "type": 3,
917 | "content": {
918 | "version": "KqlItem/1.0",
919 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(AgentVersion) and isnotempty(DeviceId)\n| summarize UniqueDevices = dcount(DeviceId) by AgentVersion\n| order by UniqueDevices desc\n",
920 | "size": 0,
921 | "title": "Agent Version Distribution",
922 | "timeContextFromParameter": "timerange",
923 | "queryType": 0,
924 | "resourceType": "microsoft.operationalinsights/workspaces",
925 | "visualization": "categoricalbar"
926 | },
927 | "customWidth": "25",
928 | "name": "query - 0 - Copy"
929 | },
930 | {
931 | "type": 3,
932 | "content": {
933 | "version": "KqlItem/1.0",
934 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(TransportProtocol)\n| summarize count() by TransportProtocol\n\n",
935 | "size": 3,
936 | "title": "Transport Protocols in use",
937 | "timeContextFromParameter": "timerange",
938 | "queryType": 0,
939 | "resourceType": "microsoft.operationalinsights/workspaces",
940 | "visualization": "piechart"
941 | },
942 | "customWidth": "25",
943 | "name": "query - 0 - Copy - Copy"
944 | },
945 | {
946 | "type": 3,
947 | "content": {
948 | "version": "KqlItem/1.0",
949 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(NetworkProtocol)\n| summarize count() by NetworkProtocol\n\n",
950 | "size": 3,
951 | "title": "Network Protocols in use",
952 | "timeContextFromParameter": "timerange",
953 | "queryType": 0,
954 | "resourceType": "microsoft.operationalinsights/workspaces",
955 | "visualization": "piechart"
956 | },
957 | "customWidth": "25",
958 | "name": "query - 0 - Copy - Copy - Copy"
959 | },
960 | {
961 | "type": 3,
962 | "content": {
963 | "version": "KqlItem/1.0",
964 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| summarize count() by InitiatingProcessName",
965 | "size": 3,
966 | "title": "Initiating Process Name",
967 | "timeContextFromParameter": "timerange",
968 | "queryType": 0,
969 | "resourceType": "microsoft.operationalinsights/workspaces",
970 | "visualization": "piechart"
971 | },
972 | "customWidth": "50",
973 | "name": "query - 4"
974 | },
975 | {
976 | "type": 3,
977 | "content": {
978 | "version": "KqlItem/1.0",
979 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| summarize count() by InitiatingProcessName\n| take 100",
980 | "size": 0,
981 | "timeContextFromParameter": "timerange",
982 | "queryType": 0,
983 | "resourceType": "microsoft.operationalinsights/workspaces"
984 | },
985 | "customWidth": "45",
986 | "name": "query - 4 - Copy"
987 | }
988 | ]
989 | },
990 | "name": "group - 1"
991 | },
992 | {
993 | "type": 3,
994 | "content": {
995 | "version": "KqlItem/1.0",
996 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(SourceIp)\n| summarize \n Count = count(),\n TotalTrafficGB = round(sum(SentBytes + ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2)\n by SourceIp\n| order by TotalTrafficGB desc\n",
997 | "size": 0,
998 | "title": "Top Source IPs by Traffic",
999 | "timeContextFromParameter": "timerange",
1000 | "queryType": 0,
1001 | "resourceType": "microsoft.operationalinsights/workspaces"
1002 | },
1003 | "customWidth": "30",
1004 | "name": "query - 2"
1005 | },
1006 | {
1007 | "type": 3,
1008 | "content": {
1009 | "version": "KqlItem/1.0",
1010 | "query": "NetworkAccessTraffic\n| where TrafficType contains \"{channel}\"\n| where Action contains \"{action}\"\n| where isnotempty(UserPrincipalName)\n| summarize \n Count = count(),\n TotalTrafficGB = round(sum(SentBytes + ReceivedBytes) / 1024.0 / 1024.0 / 1024.0, 2)\n by UserPrincipalName\n| order by TotalTrafficGB desc\n",
1011 | "size": 0,
1012 | "title": "Top Users by Traffic",
1013 | "timeContextFromParameter": "timerange",
1014 | "queryType": 0,
1015 | "resourceType": "microsoft.operationalinsights/workspaces"
1016 | },
1017 | "customWidth": "50",
1018 | "name": "query - 2 - Copy"
1019 | }
1020 | ]
1021 | },
1022 | "name": "source"
1023 | }
1024 | ]
1025 | },
1026 | "name": "queries"
1027 | }
1028 | ],
1029 | "fallbackResourceIds": [
1030 | "/subscriptions/49623a5a-c45e-4381-ae75-f2b64c965a73/resourceGroups/rg-Log-ch/providers/Microsoft.OperationalInsights/workspaces/law-main-ch"
1031 | ],
1032 | "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
1033 | }
--------------------------------------------------------------------------------
/Global Secure Access Unified Dashboard/readme.md:
--------------------------------------------------------------------------------
1 | # Global Secure Access Dashboard (Azure Workbook)
2 |
3 | This Azure Workbook provides a unified monitoring experience for Global Secure Access (GSA) traffic across multiple channels:
4 |
5 | - **Private Access**
6 | - **Internet**
7 | - **Microsoft 365 (M365)**
8 |
9 | It enables IT and security teams to monitor, analyze, and gain visibility into organizational network traffic with rich contextual insights.
10 |
11 | ---
12 |
13 | ## ✨ Features
14 |
15 | - 📊 **Interactive visualizations** of traffic by source, destination, and protocol
16 | - 🌐 **Channel-specific insights** for Private, Internet, and M365 traffic flows
17 | - 📈 **Real-time monitoring** of usage volume, trends, and activity patterns
18 | - 🔍 **Detailed traffic statistics** including sent/received bytes, top destinations, and user activity
19 | - 🧩 **Source-origin correlation** to identify high-impact devices or users
20 | - 🚦 **Action and policy analysis** for deeper investigation and filtering
21 |
22 | ---
23 |
24 | ## 📦 Requirements
25 |
26 | To use this workbook, ensure the following:
27 |
28 | - Azure **Log Analytics Workspace** connected to Entra Diagnostics - Global Secure Access diagnostics
29 | - Required tables: `NetworkAccessTraffic`
30 |
31 | ---
32 |
33 | ## 📂 Workbook Sections
34 |
35 | - **Overview** – General traffic summaries across GSA channels
36 | - **Channel Breakdown** – Per-channel views (Private, Internet, M365) with top destinations, ports, users
37 | - **Source Insights** – Active users, devices, IPs, and their traffic contributions
38 | - **Destination Analytics** – FQDN/IP breakdowns with traffic volume
39 | - **Traffic Statistics** – Sent/received GBs, protocol usage, and action types
40 |
41 | ---
42 |
43 | ## 🚀 Getting Started
44 |
45 | 1. Clone this repository or copy the workbook JSON
46 | 2. Open **Log Analytics Workspace -> Monitor -> Workbooks**, open the json editor view () and paste the JSON file content
47 | 4. Adjust parameters (e.g. channel, action) to explore the data dynamically.
48 |
49 |
50 |
51 |
--------------------------------------------------------------------------------
/Intune Change Tracking/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thenikk/Oceanleaf/f098f2717fc9746e9d0ea61f3cc252af528f77c5/Intune Change Tracking/.DS_Store
--------------------------------------------------------------------------------
/Intune Change Tracking/readme.md:
--------------------------------------------------------------------------------
1 | # Intune Change Tracking (Azure Workbook)
2 |
3 | This Azure Workbook enables organizations to **monitor and track configuration changes** in Microsoft Intune, based on audit logs sent to a Log Analytics Workspace. It gives a comprehensive view of change activity over time and helps identify administrative actions, profile updates, app deployments, and other policy-related operations.
4 |
5 | ---
6 |
7 | ## ✨ Features
8 |
9 | - 🔍 **Real-time visibility** into Intune audit log events
10 | - 🧭 **Breakdown by object type**: apps, scripts, configuration profiles, compliance, remediation, and more
11 | - 🛠️ **Method insights**: Create, Delete, Patch, Assign – all summarized and visualized
12 | - 📅 **Time-range filtering** with full control via dynamic parameters
13 | - 📊 **Audit event grouping** by identity, method, operation, and device context
14 | - 💡 Supports detection of **anomalous or unexpected changes**
15 |
16 | ---
17 |
18 | ## 📦 Requirements
19 |
20 | To use this workbook, ensure the following:
21 |
22 | - Microsoft Intune audit logs are configured to send to **Azure Log Analytics**
23 | - Diagnostics settings
24 | - Table required: `AuditLogs`
25 |
26 | ---
27 |
28 | ## 📂 Workbook Sections
29 |
30 | - **Overview** – Key audit insights grouped by object type and method
31 | - **Search Profile Types** – Track specific profile-related changes
32 | - **Device Identity** – Track Autopilot Identities and changes
33 | - **Device Operations** – Operational insights related to endpoints
34 | - **Environment Overview** – General Intune activity overview
35 | - **Cloud PC** – Audit log integration with Cloud PC context (if applicable)
36 |
37 | ---
38 |
39 | ## 🚀 Getting Started
40 |
41 | 1. Clone this repository or copy the workbook JSON
42 | 2. Open **Log Analytics Workspace -> Monitor -> Workbooks**, open the json editor view () and paste the JSON file content
43 | 4. Adjust parameters to explore the data dynamically.
44 |
45 |
46 |
--------------------------------------------------------------------------------
/Intune macOS Templates/Compliance-Default.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thenikk/Oceanleaf/f098f2717fc9746e9d0ea61f3cc252af528f77c5/Intune macOS Templates/Compliance-Default.json
--------------------------------------------------------------------------------
/Intune macOS Templates/Custom-MDEOnboardingSettings.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thenikk/Oceanleaf/f098f2717fc9746e9d0ea61f3cc252af528f77c5/Intune macOS Templates/Custom-MDEOnboardingSettings.json
--------------------------------------------------------------------------------
/Intune macOS Templates/README.md:
--------------------------------------------------------------------------------
1 | # Intune - macOS
2 | This repository contains sample Intune policies to configure the macOS platform. Provided as starting point and best practice.
3 |
4 | ## Importing
5 | To import the policies, follow the description per policy/profile type:
6 | * **SettingsCatalog** - in Intune, import new policy
7 | * **Custom, Compliance and other** - use [IntuneManagement](https://github.com/Micke-K/IntuneManagement)
8 |
9 | 
10 |
--------------------------------------------------------------------------------
/Intune macOS Templates/SettingsCatalog-BasicSecurityHardening.json:
--------------------------------------------------------------------------------
1 | {"@odata.context":"https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity","createdDateTime":"2023-09-20T13:18:58.5357184Z","creationSource":null,"description":"Inspired by: https://hmaslowski.com/f/macos-security-hardening-with-microsoft-intune","lastModifiedDateTime":"2024-05-07T14:59:27.7653911Z","name":"SettingsCatalog-BasicSecurityHardening","platforms":"macOS","priorityMetaData":null,"roleScopeTagIds":["0"],"settingCount":6,"technologies":"mdm,appleRemoteManagement","id":"7b30fb77-2523-461c-a6d4-dc3262dfc79d","templateReference":{"templateId":"","templateFamily":"none","templateDisplayName":null,"templateDisplayVersion":null},"settings":[{"id":"0","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.mcx_com.apple.mcx-accounts","settingInstanceTemplateReference":null,"groupSettingCollectionValue":[{"settingValueTemplateReference":null,"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.mcx_disableguestaccount","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.mcx_disableguestaccount_true","children":[]}}]}]}},{"id":"1","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.mcx_com.apple.mcx-fdefilevaultoptions","settingInstanceTemplateReference":null,"groupSettingCollectionValue":[{"settingValueTemplateReference":null,"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.mcx_dontallowfdedisable","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.mcx_dontallowfdedisable_true","children":[]}}]}]}},{"id":"2","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.loginwindow_com.apple.loginwindow","settingInstanceTemplateReference":null,"groupSettingCollectionValue":[{"settingValueTemplateReference":null,"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.loginwindow_loginwindowtext","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"This Mac is owned by Oceanleaf."}}]}]}},{"id":"3","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":".globalpreferences_.globalpreferences","settingInstanceTemplateReference":null,"groupSettingCollectionValue":[{"settingValueTemplateReference":null,"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":".globalpreferences_com.apple.autologout.autologoutdelay","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","settingValueTemplateReference":null,"value":86400}}]}]}},{"id":"4","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.applicationaccess_com.apple.applicationaccess","settingInstanceTemplateReference":null,"groupSettingCollectionValue":[{"settingValueTemplateReference":null,"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowactivitycontinuation","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowactivitycontinuation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowaddinggamecenterfriends","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowaddinggamecenterfriends_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowairplayincomingrequests","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowairplayincomingrequests_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowairdrop","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowairdrop_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowautounlock","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowautounlock_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudaddressbook","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudaddressbook_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudbookmarks","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudbookmarks_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudcalendar","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudcalendar_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowclouddesktopanddocuments","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowclouddesktopanddocuments_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowclouddocumentsync","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowclouddocumentsync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudfreeform","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudfreeform_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudkeychainsync","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudkeychainsync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudmail","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudmail_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudnotes","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudnotes_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudphotolibrary","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudphotolibrary_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudprivaterelay","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudprivaterelay_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudreminders","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcloudreminders_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcontentcaching","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowcontentcaching_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowdictation","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowdictation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfingerprintforunlock","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowfingerprintforunlock_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowgamecenter","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowgamecenter_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowmultiplayergaming","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowmultiplayergaming_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasswordautofill","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowpasswordautofill_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasswordproximityrequests","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowpasswordproximityrequests_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasswordsharing","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowpasswordsharing_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowrapidsecurityresponseinstallation","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowrapidsecurityresponseinstallation_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowrapidsecurityresponseremoval","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowrapidsecurityresponseremoval_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowuiconfigurationprofileinstallation","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowuiconfigurationprofileinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowusbrestrictedmode","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.applicationaccess_allowusbrestrictedmode_true","children":[]}}]}]}},{"id":"5","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.screensaver_com.apple.screensaver","settingInstanceTemplateReference":null,"groupSettingCollectionValue":[{"settingValueTemplateReference":null,"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.screensaver_askforpassword","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.screensaver_askforpassword_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.screensaver_askforpassworddelay","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","settingValueTemplateReference":null,"value":5}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.screensaver_loginwindowidletime","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","settingValueTemplateReference":null,"value":1200}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.screensaver_loginwindowmodulepath","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"/System/Library/Screen Savers/Monterey.saver"}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.screensaver_modulename","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"Monterey"}}]}]}}]}
--------------------------------------------------------------------------------
/Intune macOS Templates/SettingsCatalog-Edge.json:
--------------------------------------------------------------------------------
1 | {"@odata.context":"https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity","createdDateTime":"2023-09-18T09:28:18.459784Z","creationSource":null,"description":"","lastModifiedDateTime":"2024-05-07T15:06:04.2041693Z","name":"SettingsCatalog-Edge","platforms":"macOS","priorityMetaData":null,"roleScopeTagIds":["0"],"settingCount":11,"technologies":"mdm,appleRemoteManagement","id":"b56bba69-7449-462e-b3ac-0ad030150ab6","templateReference":{"templateId":"","templateFamily":"none","templateDisplayName":null,"templateDisplayVersion":null},"settings":[{"id":"0","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_browsersignin","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_browsersignin_2","children":[]}}},{"id":"1","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_homepagelocation","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://google.ch"}}},{"id":"2","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_newtabpagelocation","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://google.ch"}}},{"id":"3","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance","settingDefinitionId":"com.apple.managedclient.preferences_extensioninstallblocklist","settingInstanceTemplateReference":null,"simpleSettingCollectionValue":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"*"}]}},{"id":"4","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_defaultsearchprovidername","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"Google"}}},{"id":"5","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_defaultsearchprovidersearchurl","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}"}}},{"id":"6","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_defaultsearchprovidersuggesturl","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"{google:baseURL}complete/search?output=chrome&q={searchTerms}"}}},{"id":"7","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_defaultsearchproviderenabled","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_defaultsearchproviderenabled_true","children":[]}}},{"id":"8","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_forcesync","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_forcesync_true","children":[]}}},{"id":"9","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_hidefirstrunexperience","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_hidefirstrunexperience_true","children":[]}}},{"id":"10","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance","settingDefinitionId":"com.apple.managedclient.preferences_restoreonstartupurls","settingInstanceTemplateReference":null,"simpleSettingCollectionValue":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://google.ch"}]}}]}
--------------------------------------------------------------------------------
/Intune macOS Templates/SettingsCatalog-MicrosoftAutoUpdate.json:
--------------------------------------------------------------------------------
1 | {"@odata.context":"https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity","createdDateTime":"2023-10-27T14:42:11.9430863Z","creationSource":null,"description":"","lastModifiedDateTime":"2024-05-07T15:00:43.6455068Z","name":"SettingsCatalog-MicrosoftAutoUpdate","platforms":"macOS","priorityMetaData":null,"roleScopeTagIds":["0"],"settingCount":8,"technologies":"mdm,appleRemoteManagement","id":"feaa60fa-020b-4709-8ed8-6b08d4a3543f","templateReference":{"templateId":"","templateFamily":"none","templateDisplayName":null,"templateDisplayVersion":null},"settings":[{"id":"0","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_acknowledgeddatacollectionpolicy","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_acknowledgeddatacollectionpolicy_0","children":[]}}},{"id":"1","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_updatedeadline.daysbeforeforcedquit","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","settingValueTemplateReference":null,"value":7}}},{"id":"2","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_manifestserver","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_manifestserver_0","children":[]}}},{"id":"3","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_howtocheck","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_howtocheck_0","children":[]}}},{"id":"4","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_enablecheckforupdatesbutton","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_enablecheckforupdatesbutton_true","children":[]}}},{"id":"5","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_updatedeadline.finalcountdown","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue","settingValueTemplateReference":null,"value":60}}},{"id":"6","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_startdaemononapplaunch","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_startdaemononapplaunch_true","children":[]}}},{"id":"7","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.managedclient.preferences_channelname","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.managedclient.preferences_channelname_0","children":[]}}}]}
--------------------------------------------------------------------------------
/Intune macOS Templates/SettingsCatalog-PlatformSSO.json:
--------------------------------------------------------------------------------
1 | {"@odata.context":"https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity","createdDateTime":"2024-05-07T08:17:03.1427982Z","creationSource":null,"description":"","lastModifiedDateTime":"2024-05-07T14:20:52.6109211Z","name":"SettingsCatalog-PlatformSSO","platforms":"macOS","priorityMetaData":null,"roleScopeTagIds":["0"],"settingCount":1,"technologies":"mdm,appleRemoteManagement","id":"174c07d7-ec4c-47a2-9d41-b99ae7cb7429","templateReference":{"templateId":"","templateFamily":"none","templateDisplayName":null,"templateDisplayVersion":null},"settings":[{"id":"0","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.extensiblesso_com.apple.extensiblesso","settingInstanceTemplateReference":null,"groupSettingCollectionValue":[{"settingValueTemplateReference":null,"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.extensiblesso_extensionidentifier","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"com.microsoft.CompanyPortalMac.ssoextension"}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.extensiblesso_platformsso","settingInstanceTemplateReference":null,"groupSettingCollectionValue":[{"settingValueTemplateReference":null,"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.extensiblesso_platformsso_authenticationmethod","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.extensiblesso_platformsso_authenticationmethod_0","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.extensiblesso_platformsso_useshareddevicekeys","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.extensiblesso_platformsso_useshareddevicekeys_true","children":[]}}]}]},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.extensiblesso_registrationtoken","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"{{DEVICEREGISTRATION}}"}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.extensiblesso_screenlockedbehavior","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.extensiblesso_screenlockedbehavior_0","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"com.apple.extensiblesso_teamidentifier","settingInstanceTemplateReference":null,"simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"UBF8T346G9"}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.extensiblesso_type","settingInstanceTemplateReference":null,"choiceSettingValue":{"settingValueTemplateReference":null,"value":"com.apple.extensiblesso_type_1","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance","settingDefinitionId":"com.apple.extensiblesso_urls","settingInstanceTemplateReference":null,"simpleSettingCollectionValue":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://login.microsoftonline.com"},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://login.microsoft.com"},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://sts.windows.net"},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://login.partner.microsoftonline.cn"},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://login.chinacloudapi.cn"},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://login.microsoftonline.us"},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","settingValueTemplateReference":null,"value":"https://login-us.microsoftonline.com"}]}]}]}}]}
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # [Oceanleaf](https://www.oceanleaf.ch)
2 |
3 | [](https://www.linkedin.com/in/niklas-tinner/)
4 | [](https://www.oceanleaf.ch)
5 | [](https://x.com/NiklasTinner)
6 |
7 | ---
8 | ## 📘 Repository Description
9 |
10 | **Oceanleaf** is a curated collection of real-world Microsoft Cloud tools, workbooks, templates, and automation—built to empower IT professionals and Managed Service Providers (MSPs) in designing, securing, and managing modern cloud environments.
11 |
12 | ---
13 |
14 | ## 👤 About the Author
15 |
16 | **Niklas Tinner** is a Microsoft MVP from Switzerland, founder of [Oceanleaf.ch](https://www.oceanleaf.ch), and passionate about bridging the gap between deep technical knowledge and real-world implementation.
17 | He works hands-on with customers, MSPs, and enterprise teams—specializing in **Microsoft Cloud Security**.
18 |
19 | ---
20 |
21 | ## 🌍 Mission
22 |
23 | > _“Make knowledge practical and accessible.”_
24 |
25 | Oceanleaf exists to deliver **clear, field-tested, and scalable solutions** for Microsoft Cloud professionals.
26 | Whether you're securing identities, managing endpoints, or designing zero-trust access, Oceanleaf helps you go beyond theory—offering usable content that saves time and increases impact.
27 |
28 | ---
29 |
30 | ## 💡 Key Values
31 |
32 | - Community & Swiss-made 🇨🇭
33 | - Rooted in customer projects
34 | - Built for automation and scale
35 | - Documented, versioned, and maintainable
36 |
37 |
38 |
39 | 
--------------------------------------------------------------------------------