List applications with Mail. API permissions
Application Mail Permission
Query
OAuthAppInfo
| where Permissions has "Mail."
| summarize arg_max(Timestamp, *) by OAuthAppId
| mv-expand Permissions
| extend PermissionValue = tostring(Permissions.PermissionValue), InUse = tobool(Permissions.InUse), PrivilegeLevel = tostring(Permissions.PrivilegeLevel)
| where PermissionValue startswith "Mail."
| summarize TotalMailPermissions = dcount(PermissionValue), Permissions = make_set(PermissionValue) by OAuthAppId, AppName, AppOriginAbout this query
List applications with Mail.* API permissions
Query Information
Description
The query below lists the applications that have Mail.* Graph API permissions. These permissions are highly sensitive as it can give access to individual or shared mailboxes.
Risk
The Mail.* permissions grand access to mail data, which is considered highly sensitive. The permissions can be abused to get unautorized access to mailboxes.
Defender XDR
Sentinel
OAuthAppInfo
| where Permissions has "Mail."
| summarize arg_max(TimeGenerated, *) by OAuthAppId
| mv-expand Permissions
| extend PermissionValue = tostring(Permissions.PermissionValue), InUse = tobool(Permissions.InUse), PrivilegeLevel = tostring(Permissions.PrivilegeLevel)
| where PermissionValue startswith "Mail."
| summarize TotalMailPermissions = dcount(PermissionValue), Permissions = make_set(PermissionValue) by OAuthAppId, AppName, AppOrigin
Explanation
This query is designed to identify applications that have been granted permissions related to accessing mail data through the Microsoft Graph API. Specifically, it looks for applications with permissions that start with "Mail.", which are considered highly sensitive because they can provide access to individual or shared mailboxes.
Here's a simplified breakdown of what the query does:
-
Data Source: It starts by accessing a dataset called
OAuthAppInfo, which contains information about applications and their permissions. -
Filter for Mail Permissions: The query filters the data to only include applications that have permissions related to mail (those containing "Mail.").
-
Select Latest Entry: For each application, it selects the most recent entry based on a timestamp (
Timestampin Defender XDR andTimeGeneratedin Sentinel). -
Expand Permissions: It expands the permissions to analyze each one individually.
-
Extract Permission Details: It extracts details about each permission, including its value, whether it's currently in use, and its privilege level.
-
Filter for Specific Mail Permissions: It further filters the permissions to only include those that specifically start with "Mail.".
-
Summarize Results: Finally, it summarizes the results by counting the total number of mail-related permissions for each application and lists these permissions. It groups the results by application ID, name, and origin.
Overall, this query helps identify applications with potentially risky access to mail data, allowing for further investigation or action to mitigate unauthorized access risks.
Details

Bert-Jan Pals
Released: April 14, 2025
Tables
Keywords
Operators