Query Details

Entra ID - Oauth App Information

Entra ID Oauth App Info

Query

OAuthAppInfo 
| summarize arg_max(TimeGenerated,*) by OAuthAppId
| mv-expand Permissions
| extend Permission = tostring(parse_json(Permissions.PermissionValue))
| extend PermPrivilegeLevel = tostring(parse_json(Permissions.PrivilegeLevel))
| project
    AppName,
    PrivilegeLevel,
    Permission,
    AppStatus,
    ConsentedUsersCount,
    IsAdminConsented,
    AppOrigin,
    ServicePrincipalId,
    Permissions,
    PermPrivilegeLevel
| summarize
    //PrivLevels = make_set(PermPrivilegeLevel),
    Low = countif(PermPrivilegeLevel == "Low"),
    Medium = countif(PermPrivilegeLevel == "Medium"),
    High = countif(PermPrivilegeLevel == "High"),
    NA = countif(PermPrivilegeLevel == "NA")
    by AppName, ConsentedUsersCount, IsAdminConsented, AppStatus, AppOrigin
| order by High desc, Medium desc, Low desc

About this query

Entra ID - Oauth App Information

Query Information

Description

Use the below info to query to OAuthAppInfo table in Defender XDR

Author

  • Alex Verboon

References

Microsoft Defender XDR

List relevant information from the OAutahAppInfo Table and count the permissions by Permission Level

External OAuth Apps and their external Tenant ID information

OAuthAppInfo
| where isnotempty( AppOwnerTenantId)
| where AppOrigin == 'External'
| summarize arg_max(TimeGenerated,*) by OAuthAppId
| project AppName, VerifiedPublisher, ServicePrincipalId, OAuthAppId, PrivilegeLevel, Permissions, AppOrigin, AppOwnerTenantId
| extend VerifiedPublisher_displayName = tostring(parse_json(VerifiedPublisher)["displayName"])

Explanation

This KQL query is designed to analyze and summarize information about OAuth applications from the OAuthAppInfo table in Microsoft Defender XDR. Here's a simple breakdown of what each part of the query does:

  1. First Query:

    • Purpose: To list relevant information about OAuth applications and count their permissions based on privilege levels.
    • Steps:
      • Retrieves the most recent information for each OAuth application using arg_max.
      • Expands the permissions associated with each application.
      • Extracts and formats the permission value and privilege level.
      • Projects (selects) specific fields such as AppName, PrivilegeLevel, Permission, and others for further analysis.
      • Summarizes the data by counting the number of permissions at different privilege levels (Low, Medium, High, NA) for each application.
      • Orders the results by the number of High privilege level permissions in descending order, followed by Medium and Low.
  2. Second Query:

    • Purpose: To identify external OAuth applications and gather information about their external tenant IDs.
    • Steps:
      • Filters the data to include only applications with a non-empty AppOwnerTenantId and those originating externally.
      • Retrieves the most recent information for each external OAuth application.
      • Projects specific fields such as AppName, VerifiedPublisher, ServicePrincipalId, and others.
      • Extracts and formats the display name of the verified publisher.

Overall, these queries help in understanding the distribution of permission levels across OAuth applications and identifying external applications along with their tenant information.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

OAuthAppInfo

Keywords

OAuthAppInfoOAuthAppIdPermissionsPermissionValuePrivilegeLevelAppNameAppStatusConsentedUsersCountIsAdminConsentedAppOriginServicePrincipalIdAppOwnerTenantIdVerifiedPublisherVerifiedPublisherDisplayName

Operators

OAuthAppInfosummarizearg_maxbymv-expandextendtostringparse_jsonprojectcountiforder bywhereisnotempty

Actions

GitHub