
Explanation:

To find all security principals (users or service principals/apps) that changed or deleted groups, you should query MicrosoftGraphActivityLogs and filter for requests targeting the groups endpoint, then exclude read- only operations. The RequestUri field contains the full Graph URL that the principal called (e.g., /v1.0
/groups/{id}), so filtering where RequestUri contains "/group" (or "/groups") isolates group-related operations. Changes and deletions are non-read HTTP verbs such as POST, PATCH, PUT, and DELETE.
The simplest way to capture all of them is to exclude reads: where RequestMethod != "GET". Finally, projecting AppId, UserId, and ServicePrincipalId returns the identities (user or app) behind each request, which are the "security principals" you need to report.
So the completed KQL is:
MicrosoftGraphActivityLogs
| where RequestUri contains "/group"
| where RequestMethod != "GET"
| project AppId, UserId, ServicePrincipalId