TenLens
Back to script library
Entra / Microsoft 365 · Teams

Find Entra ID Direct Connect sign-ins

Use Entra ID sign-in audit logs to find user accounts accessing external tenants via Teams Direct Connect (shared channels).

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-MgGraph -Scopes AuditLog.Read.All, Directory.Read.All, Directory.AccessAsUser.All

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

param(
    [string] $TenantId = "$Tenant.Id"
)
 
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All","Directory.AccessAsUser.All"
 
$Tenant = Get-MgOrganization
$TenantName = $Tenant.DisplayName
Write-Host "Finding sign-in audit records that aren't from" $TenantName "..."
[array]$AzureADSignIns = Get-MgBetaAuditLogSignIn -Filter "ResourceTenantId ne '$TenantID' and CrossTenantAccessType eq 'b2bDirectConnect'" -All
 
If (!($AzureADSignIns)) {
   Write-Host "No Entra ID sign-in records for B2B Direct Connect found from other Microsoft 365 tenants - exiting"
   break
} Else {
   Write-Host ("{0} Entra iD sign-in records from other Microsoft 365 tenants found - analyzing..." -f $AzureADSignIns.count )
}
 
$TenantNames = @{}
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Record in $AzureADSignIns){
   $ExternalTenantId = $Record.ResourceTenantId
   If (!($TenantNames[$ExternalTenantId])) {
   # Get the tenant name because we haven't stored it yet in the hash table
     $Uri = "https://graph.microsoft.com/beta/tenantRelationships/findTenantInformationByTenantId(tenantId='$ExternalTenantId')"
     $ExternalTenantData = Invoke-MgGraphRequest -Uri $Uri -Method Get
     $TenantNames.Add($ExternalTenantId,$ExternalTenantData.DisplayName)
     $ExternalTenantDisplayName = $ExternalTenantData.DisplayName
   } Else { # We have seen the tenant name before, so just read the info.
     $ExternalTenantDisplayName = $TenantNames[$ExternalTenantId]
   }
 
 # Get Error code
   $ErrorCode = ($Record | Select-Object -ExpandProperty Status).ErrorCode
   $FailureReason = ($Record | Select-Object -ExpandProperty Status).FailureReason
 
   $ExternalData = [PSCustomObject][Ordered]@{
       Timestamp     = $Record.CreatedDateTime
       User          = $Record.UserDisplayName
       UserId        = $Record.UserId
       UPN           = $Record.UserPrincipalName
       TenantName    = $ExternalTenantDisplayName
       TenantId      = $ExternalTenantId
       Resource      = $Record.ResourceDisplayName
       AppName       = $Record.AppDisplayName
       Type          = $Record.CrossTenantAccessType
       ErrorCode     = $ErrorCode
       FailureReason = $FailureReason
       }
   $Report.Add($ExternalData)
}
 
$Report | Sort-Object {$_.Timestamp -as [datetime]} | Select-Object Timestamp, User, TenantName, Resource, AppName | Out-GridView

Parameters

ParameterDefaultNotes
-TenantId$Tenant.IdMicrosoft Entra tenant ID used to filter sign-ins from external tenants.
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.