KQL Search

Query Details

Admin Consent

Query

//The applications an administrator granted admin consent

AuditLogs
| where OperationName == "Consent to application"
| extend Iby=todynamic(InitiatedBy) 
| extend IbyUser=(Iby.user)
| extend TR=todynamic(tostring(TargetResources))
| mv-expand Targets = TR
| project TimeGenerated,AADTenantId,UPN=IbyUser.userPrincipalName,APPName=Targets.displayName,APPID=Targets.id

Explanation

This query retrieves information about the applications for which an administrator has granted admin consent. It includes details such as the time the consent was granted, the Azure Active Directory (AAD) tenant ID, the user principal name of the administrator who granted consent, and the display name and ID of the application.

Details

Rod Trent

Released: August 7, 2020

Tables

AuditLogs

Keywords

AuditLogs,OperationName,Consent,Application,Admin,InitiatedBy,User,UserPrincipalName,TargetResources,TimeGenerated,AADTenantId,UPN,APPName,APPID

Operators

whereextendtodynamictostringmv-expandproject

KQL Search

Admin Consent

Query

Explanation

Details

Actions