Detect Potential Consent Fix O Auth Authorisation Code Theft Attempts
Query
//Query from https://sentinel.blog/consentfix-securing-your-tenant-against-oauth-authorisation-code-theft/
//Credit: Toby G
// Focus on non-interactive sign-ins to vulnerable applications from unexpected locations
let VulnerableApps = dynamic([
"04b07795-8ddb-461a-bbee-02f9e1bf7b46", // Azure CLI
"1950a258-227b-4e31-a9cf-717495945fc2", // Azure PowerShell
"04f0c124-f2bc-4f59-8241-bf6df9866bbd", // Visual Studio
"aebc6443-996d-45c2-90f0-388ff96faa56", // VS Code
"12128f48-ec9e-42f0-b203-ea49fb6af367" // Teams PowerShell
]);
let TimeWindow = 24h;
// Get successful interactive sign-ins
let InteractiveSessions = SigninLogs
| where TimeGenerated > ago(TimeWindow)
| where AppId in (VulnerableApps)
| where ResultType == 0
| where AuthenticationRequirement in ("singleFactorAuthentication", "multiFactorAuthentication")
| extend InteractiveTime = TimeGenerated
| extend LocationDetailsJson = parse_json(LocationDetails)
| extend InteractiveLocation = tostring(LocationDetailsJson.countryOrRegion)
| extend InteractiveCity = tostring(LocationDetailsJson.city)
| project UserPrincipalName, CorrelationId, InteractiveTime, InteractiveLocation, InteractiveCity, IPAddress, AppDisplayName, SessionId = CorrelationId;
// Get non-interactive token requests
let NonInteractiveSessions = AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(TimeWindow)Explanation
This KQL (Kusto Query Language) query is designed to monitor and identify potential security risks related to OAuth authorization code theft in a Microsoft Azure environment. Here's a simplified breakdown of what the query does:
-
Define Vulnerable Applications: It starts by listing a set of application IDs that are considered vulnerable. These include Azure CLI, Azure PowerShell, Visual Studio, VS Code, and Teams PowerShell.
-
Set a Time Window: The query focuses on activities that occurred within the last 24 hours.
-
Identify Interactive Sign-ins:
- It searches through sign-in logs to find successful interactive sign-ins (where a user manually logs in) to the vulnerable applications within the specified time window.
- It filters these sign-ins to only include those that were authenticated using either single-factor or multi-factor authentication.
- For each sign-in, it extracts details such as the user's principal name, correlation ID, time of sign-in, location (country or region and city), IP address, application display name, and session ID.
-
Prepare for Non-Interactive Sessions:
- The query sets up a structure to capture non-interactive sign-ins (where a system or application logs in without user interaction) from the Azure Active Directory logs.
- This part of the query is incomplete in the provided snippet but is intended to identify non-interactive sign-ins to the same vulnerable applications within the same time window.
Overall, the query aims to detect and analyze sign-in patterns, focusing on non-interactive sign-ins to vulnerable applications from unexpected locations, which could indicate unauthorized access attempts or potential security breaches.
Details

Jay Kerai
Released: February 5, 2026
Tables
Keywords
Operators