current_principal_is_member_of()
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Checks group membership or principal identity of the current principal running the query.
Syntax
current_principal_is_member_of(
group)
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
group | dynamic |
✔️ | An array of string literals in which each literal represents a Microsoft Entra principal. See examples for Microsoft Entra principals. |
Note
- To avoid throttling from Microsoft Entra ID, the
current_principal_is_member_of()
function only works with string literals. Using values that aren't string literals will result in an error in order to avoid a potentially large number of queries to Microsoft Entra ID. - Checking group memberships can be resource-intensive. Since group memberships don't change frequently, the results of membership checks are cached. The caching duration varies and is influenced by factors such as the membership result (whether the principal is a member or not), the type of principal (user or application), among others. The maximum caching duration can extend up to three hours, while the minimum duration is 30 minutes.
Returns
The function returns true
if the current principal running the query is successfully matched for at least one input argument. If not, the function returns false
.
Examples
print result=current_principal_is_member_of(
'aaduser=user1@fabrikam.com',
'aadgroup=group1@fabrikam.com',
'aadapp=66ad1332-3a94-4a69-9fa2-17732f093664;72f988bf-86f1-41af-91ab-2d7cd011db47'
)
Output
result |
---|
false |
Using dynamic array instead of multiple arguments:
print result=current_principal_is_member_of(
dynamic([
'aaduser=user1@fabrikam.com',
'aadgroup=group1@fabrikam.com',
'aadapp=66ad1332-3a94-4a69-9fa2-17732f093664;72f988bf-86f1-41af-91ab-2d7cd011db47'
]))
Output
result |
---|
false |