Query Details

Azure DevOps - Organization Policy - Third-Party Access via OAuth

Azure Dev Ops Third Party Application Access Via O Auth

Query

AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "ON"
| where PolicyName == "Policy.DisallowOAuthAuthentication"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName

About this query

Azure DevOps - Organization Policy - Third-Party Access via OAuth

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink

Description

Non-Microsoft application via OAuth: Enable non-Microsoft applications to access resources in your organization through OAuth. This policy is defaulted to off for all new organizations. If you want access to non-Microsoft applications, enable this policy to ensure these apps can access resources in your organization.

Use the below query to identify when Third-Party application access via OAuth is enabled in Azure DevOps

References

Microsoft Sentinel

Explanation

This KQL query is designed to monitor Azure DevOps for changes in organization policies related to third-party application access via OAuth. Specifically, it identifies when the policy that disallows OAuth authentication is turned on, which effectively enables third-party applications to access resources in the organization.

Here's a simple breakdown of the query:

  1. Data Source: The query pulls data from the AzureDevOpsAuditing table, which logs auditing events in Azure DevOps.

  2. Filter by Operation: It looks for operations where the policy value has been updated, specifically the operation named "OrganizationPolicy.PolicyValueUpdated".

  3. Extract Policy Details: The query extracts the policy name and value from the data, converting them to string format for easy comparison.

  4. Check Policy Status: It filters the results to find instances where the policy value is set to "ON" for the policy named "Policy.DisallowOAuthAuthentication". This indicates that the policy to disallow OAuth authentication is turned on, allowing third-party access.

  5. Select Relevant Information: Finally, it projects (selects) relevant details such as the time of the event (TimeGenerated), the user who made the change (ActorUPN), their IP address (IpAddress), the policy name and value, and the scope of the policy change (ScopeDisplayName).

In summary, this query helps administrators track when and by whom the policy allowing third-party OAuth access is enabled in Azure DevOps, which is crucial for maintaining security and compliance.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicyThird-PartyAccessOAuthApplicationResourcesMicrosoftSentinel

Operators

AzureDevOpsAuditing|where==extendtostringproject

Actions

GitHub