Admin Consent
Query
//The applications an administrator granted admin consent
AuditLogs
| where OperationName == "Consent to application"
| extend Iby=todynamic(InitiatedBy)
| extend IbyUser=(Iby.user)
| extend TR=todynamic(tostring(TargetResources))
| mv-expand Targets = TR
| project TimeGenerated,AADTenantId,UPN=IbyUser.userPrincipalName,APPName=Targets.displayName,APPID=Targets.idExplanation
This query retrieves information about the applications for which an administrator has granted admin consent. It includes details such as the time the consent was granted, the Azure Active Directory (AAD) tenant ID, the user principal name of the administrator who granted consent, and the display name and ID of the application.
Details

Rod Trent
Released: August 7, 2020
Tables
AuditLogs
Keywords
AuditLogsOperationNameConsentApplicationAdminInitiatedByUserUserPrincipalNameTargetResourcesTimeGeneratedAADTenantIdUPNAPPNameAPPID
Operators
whereextendtodynamictostringmv-expandproject