• ExtTenantDeleted (Deleted External Tenant ID): b4c546a4-7dac-46a6-a7dd-ed822a11efd3
• InitiatingAppName: EntraGDAP
• InitiatingAppServicePrincipalId: bc2f2da0-9048-42a2-877f-1996a4f6ae5c
• InitiatingUserPrincipalName: (empty – app-initiated action)
• InitiatingAadUserId: (empty)
• InitiatingIpAddress: (empty)
• InitiatingAccountName: (empty)
• InitiatingAccountUPNSuffix: (empty)

This event would trigger an alert under the rule, as it exceeds the threshold of 0 occurrences within the query period.

Interpretation of the Log

• What Happened: A partner-specific cross-tenant access policy was deleted for the external tenant b4c546a4-7dac-46a6-a7dd-ed822a11efd3. The home tenant (where the log was generated) is 80002dae-06b4-411a-b24b-1630a9a5365b.
• Initiator: The action was performed by the “EntraGDAP” application. GDAP (Granular Delegated Admin Privileges) is a Microsoft security feature for partners, enabling least-privileged, time-bound access to customer tenants following Zero Trust principles. “EntraGDAP” appears to be an internal app name used for managing these privileges in Microsoft Entra ID.
• Deleted Tenant Context: The tenant ID b4c546a4-7dac-46a6-a7dd-ed822a11efd3 is associated with Microsoft’s support infrastructure, specifically the “Office365ConciergeSupport.onmicrosoft.com” domain (a concierge/support tenant used for customer assistance). This suggests the deletion revoked access for Microsoft support engineers, likely as part of closing a support case.
• Why This Occurs: When a Microsoft 365 support case is created, temporary cross-tenant access is granted to Microsoft engineers for diagnostics. Upon case closure (or after 30 days), access is automatically revoked, logging this exact activity type initiated by EntraGDAP. This is a standard, non-suspicious operation unless unexpected in your environment (e.g., no recent support cases).