current_principal_is_member_of()

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Checks group membership or principal identity of the current principal running the query.

Syntax

current_principal_is_member_of(group)

Learn more about syntax conventions.

Parameters

Name Type Required Description
group dynamic ✔️ An array of string literals in which each literal represents a Microsoft Entra principal. See examples for Microsoft Entra principals.

Note

  • To avoid throttling from Microsoft Entra ID, the current_principal_is_member_of() function only works with string literals. Using values that aren't string literals will result in an error in order to avoid a potentially large number of queries to Microsoft Entra ID.
  • Checking group memberships can be resource-intensive. Since group memberships don't change frequently, the results of membership checks are cached. The caching duration varies and is influenced by factors such as the membership result (whether the principal is a member or not), the type of principal (user or application), among others. The maximum caching duration can extend up to three hours, while the minimum duration is 30 minutes.

Returns

The function returns true if the current principal running the query is successfully matched for at least one input argument. If not, the function returns false.

Examples

print result=current_principal_is_member_of(
    'aaduser=user1@fabrikam.com', 
    'aadgroup=group1@fabrikam.com',
    'aadapp=66ad1332-3a94-4a69-9fa2-17732f093664;72f988bf-86f1-41af-91ab-2d7cd011db47'
    )

Output

result
false

Using dynamic array instead of multiple arguments:

print result=current_principal_is_member_of(
    dynamic([
    'aaduser=user1@fabrikam.com', 
    'aadgroup=group1@fabrikam.com',
    'aadapp=66ad1332-3a94-4a69-9fa2-17732f093664;72f988bf-86f1-41af-91ab-2d7cd011db47'
    ]))

Output

result
false