KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Dev Ops Third Party Application Access Via O Auth

Query

# Azure DevOps - Organization Policy - Third-Party Access via OAuth

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
|  |  |  |

### Description

Non-Microsoft application via OAuth: Enable non-Microsoft applications to access resources in your organization through OAuth. This policy is defaulted to off for all new organizations. If you want access to non-Microsoft applications, enable this policy to ensure these apps can access resources in your organization.

Use the below query to identify when Third-Party application access via OAuth is enabled in Azure DevOps

#### References

- [DevOps threat matrix](https://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/)
- [Change application connection & security policies for your organization](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/change-application-access-policies?view=azure-devops)

### Microsoft Sentinel

```kql
AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "ON"
| where PolicyName == "Policy.DisallowOAuthAuthentication"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName
```

Explanation

This query is designed to monitor Azure DevOps for changes in the organization's policy regarding third-party application access via OAuth. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the AzureDevOpsAuditing table, which logs various activities and changes within Azure DevOps.

  2. Filter for Specific Operation: The query looks for operations where the policy value has been updated, specifically the operation named "OrganizationPolicy.PolicyValueUpdated".

  3. Extract Policy Details: It extracts the policy name and value from the data, converting them to string format for further processing.

  4. Identify Enabled OAuth Access: The query filters for cases where the policy value is set to "ON" and the policy name is "Policy.DisallowOAuthAuthentication". This indicates that the restriction on OAuth authentication has been turned off, thereby enabling third-party applications to access resources.

  5. Output Relevant Information: Finally, it projects (or selects) specific columns to display: the time the change was made (TimeGenerated), the user who made the change (ActorUPN), the IP address from which the change was made (IpAddress), the policy name, the policy value, and the scope of the change (ScopeDisplayName).

In summary, this query helps identify when the policy to disallow OAuth authentication is turned off, allowing third-party applications to access Azure DevOps resources, which could be a potential security concern.

Details

Alex Verboon profile picture

Alex Verboon

Released: November 18, 2024

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicyThirdPartyAccessOAuth

Operators

AzureDevOpsAuditing|where==extendtostringproject

Actions