Entra ID - Oauth App Information
Entra ID Oauth App Info
Query
OAuthAppInfo
| summarize arg_max(TimeGenerated,*) by OAuthAppId
| mv-expand Permissions
| extend Permission = tostring(parse_json(Permissions.PermissionValue))
| extend PermPrivilegeLevel = tostring(parse_json(Permissions.PrivilegeLevel))
| project
AppName,
PrivilegeLevel,
Permission,
AppStatus,
ConsentedUsersCount,
IsAdminConsented,
AppOrigin,
ServicePrincipalId,
Permissions,
PermPrivilegeLevel
| summarize
//PrivLevels = make_set(PermPrivilegeLevel),
Low = countif(PermPrivilegeLevel == "Low"),
Medium = countif(PermPrivilegeLevel == "Medium"),
High = countif(PermPrivilegeLevel == "High"),
NA = countif(PermPrivilegeLevel == "NA")
by AppName, ConsentedUsersCount, IsAdminConsented, AppStatus, AppOrigin
| order by High desc, Medium desc, Low descAbout this query
Entra ID - Oauth App Information
Query Information
Description
Use the below info to query to OAuthAppInfo table in Defender XDR
Author
- Alex Verboon
References
Microsoft Defender XDR
List relevant information from the OAutahAppInfo Table and count the permissions by Permission Level
External OAuth Apps and their external Tenant ID information
OAuthAppInfo
| where isnotempty( AppOwnerTenantId)
| where AppOrigin == 'External'
| summarize arg_max(TimeGenerated,*) by OAuthAppId
| project AppName, VerifiedPublisher, ServicePrincipalId, OAuthAppId, PrivilegeLevel, Permissions, AppOrigin, AppOwnerTenantId
| extend VerifiedPublisher_displayName = tostring(parse_json(VerifiedPublisher)["displayName"])
Explanation
This KQL query is designed to analyze and summarize information about OAuth applications from the OAuthAppInfo table in Microsoft Defender XDR. Here's a simple breakdown of what each part of the query does:
-
First Query:
- Purpose: To list relevant information about OAuth applications and count their permissions based on privilege levels.
- Steps:
- Retrieves the most recent information for each OAuth application using
arg_max. - Expands the permissions associated with each application.
- Extracts and formats the permission value and privilege level.
- Projects (selects) specific fields such as AppName, PrivilegeLevel, Permission, and others for further analysis.
- Summarizes the data by counting the number of permissions at different privilege levels (Low, Medium, High, NA) for each application.
- Orders the results by the number of High privilege level permissions in descending order, followed by Medium and Low.
- Retrieves the most recent information for each OAuth application using
-
Second Query:
- Purpose: To identify external OAuth applications and gather information about their external tenant IDs.
- Steps:
- Filters the data to include only applications with a non-empty AppOwnerTenantId and those originating externally.
- Retrieves the most recent information for each external OAuth application.
- Projects specific fields such as AppName, VerifiedPublisher, ServicePrincipalId, and others.
- Extracts and formats the display name of the verified publisher.
Overall, these queries help in understanding the distribution of permission levels across OAuth applications and identifying external applications along with their tenant information.
Details

Alex Verboon
Released: April 16, 2026
Tables
OAuthAppInfo
Keywords
OAuthAppInfoOAuthAppIdPermissionsPermissionValuePrivilegeLevelAppNameAppStatusConsentedUsersCountIsAdminConsentedAppOriginServicePrincipalIdAppOwnerTenantIdVerifiedPublisherVerifiedPublisherDisplayName
Operators
OAuthAppInfosummarizearg_maxbymv-expandextendtostringparse_jsonprojectcountiforder bywhereisnotempty