New or Rogue OAuth Application First Seen in Tenant
20 New Rogue O Auth Application
Query
let KnownApps =
AADNonInteractiveUserSignInLogs
| where TimeGenerated between (ago(14d) .. ago(7d))
| summarize by AppId;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| join kind=leftanti KnownApps on AppId
| summarize
FirstSeen = min(TimeGenerated),
UserCount = dcount(UserPrincipalName),
Users = make_set(UserPrincipalName, 10),
IPs = make_set(IPAddress),
Countries = make_set(Location)
by AppDisplayName, AppId
| extend IPAddress = tostring(IPs[0])
| order by FirstSeen descExplanation
This query is designed to detect new or potentially rogue OAuth applications that have appeared in your Azure Active Directory tenant within the last 7 days. It specifically looks for applications that have not shown any activity in the previous 30 days. The sudden appearance of these applications generating non-interactive sign-ins could indicate unauthorized app consent, rogue app registration, or a compromise in a third-party supply chain that grants persistent access to your tenant.
Here's a simplified breakdown of the query:
-
Known Applications: It first identifies applications that were active between 14 and 7 days ago, creating a list of known applications.
-
New Applications: It then checks for applications that have started generating non-interactive sign-ins in the last 7 days and were not in the list of known applications.
-
Data Collection: For these new applications, it collects details such as the first time they were seen, the number of users affected, and the IP addresses and countries from which the sign-ins originated.
-
Alert Generation: If any such new applications are detected, an alert is generated with details like the application name, ID, and the number of affected users. The alert suggests verifying whether the application's authorization is legitimate.
-
Incident Management: If an alert is triggered, it can create an incident, and there's a configuration to group related alerts into a single incident based on the application.
The query is scheduled to run every 24 hours and looks back over a 14-day period. It is designed to help identify potential security threats related to unauthorized access via OAuth applications, aligning with tactics like Persistence, Credential Access, and Initial Access as per the MITRE ATT&CK framework.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 24h
Period: 14d