KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Logic Apps With Office365 Connections Using Resource Query

Query

//Credit: santisq
resources
| where ['type'] == 'microsoft.logic/workflows'
| extend connections = properties['parameters']['$connections']['value']
| mv-expand key = bag_keys(connections)
| where key startswith 'office365'
| extend connectionId = tostring(connections[tostring(key)]['connectionId'])
| join kind=inner (
    resources
    | where ['type'] == 'microsoft.web/connections'
        //and properties['authenticatedUser']['name'] =~ '[email protected]' //if you want to drill down on who authorized the connection
    | project
        connectionId = id,
        connectionName = name,
        connectionProperties = properties,
        connectionResourceGroup = resourceGroup
) on connectionId
| project-away connectionId1
//Consider using Managed Identities with exchange RBAC instead https://janbakker.tech/a-love-story-about-role-based-access-control-for-applications-in-exchange-online-managed-identities-entra-id-admin-units-and-graph-api/

Explanation

This KQL (Kusto Query Language) query is designed to analyze Azure resources, specifically focusing on Logic Apps and their connections to Office 365 services. Here's a simplified breakdown of what the query does:

  1. Filter Logic Apps: It starts by filtering resources to find those of type microsoft.logic/workflows, which are Azure Logic Apps.

  2. Extract Connections: It then extracts the connection details from these Logic Apps, specifically looking at the $connections property.

  3. Expand and Filter Connections: The query expands these connections to find those that start with 'office365', indicating they are related to Office 365 services.

  4. Extract Connection IDs: For each relevant connection, it extracts the connectionId.

  5. Join with Web Connections: The query then performs an inner join with another set of resources of type microsoft.web/connections. This part of the query is looking for connections that match the extracted connectionId.

  6. Project Relevant Details: After joining, it selects specific details about these connections, such as the connection name, properties, and the resource group they belong to.

  7. Optional Filtering: There is a commented-out section that allows for further filtering based on the authenticated user's email, which can be used to identify who authorized the connection.

  8. Recommendation: Finally, there's a comment suggesting the use of Managed Identities with Exchange RBAC (Role-Based Access Control) as a more secure alternative for managing permissions.

Overall, this query helps identify and analyze Office 365 connections used by Azure Logic Apps, providing insights into how these connections are configured and who authorized them.

Details

Jay Kerai profile picture

Jay Kerai

Released: December 1, 2025

Tables

resources

Keywords

ResourcesConnectionsWorkflowsOffice365ConnectionIdConnectionNameConnectionPropertiesConnectionResourceGroup

Operators

resources|where==extend=mv-expandbag_keysstartswithtostringjoinkind=innerprojectproject-away

Actions