Grant High Privilege Microsoft Graph Permissions
Query
let DangerousPermissions = dynamic(["AppRoleAssignment.ReadWrite.All","Application.ReadWrite.All","RoleManagement.ReadWrite.Directory"]);
AuditLogs
| where OperationName == "Add app role assignment to service principal"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName == "AppRole.Value"
| extend InitiatedByUserPrincipalName = InitiatedBy.user.userPrincipalName
| extend AddedPermission = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| where AddedPermission in~ ( DangerousPermissions )
| extend IPCustomEntity = todynamic(InitiatedBy).user.ipAddress
| extend ServicePrincipalAppId = todynamic(TargetResources).modifiedProperties[5].displayName
| project timestamp = TimeGenerated, IPCustomEntity, AccountCustomEntity=InitiatedByUserPrincipalName, ServicePrincipalAppId, AddedPermissionExplanation
This query is designed to identify when an application registration is granted a high privilege Microsoft Graph permission. It looks for specific operations in the Audit Logs related to adding app role assignments to service principals. It then expands and filters the target resources to find the modified properties related to the "AppRole.Value" display name. The query also retrieves information about the user who initiated the action, the added permission, the IP address of the user, and the service principal's application ID. The results are mapped to the Account and IP entities for further analysis. The query runs daily and has a medium severity level. It is relevant to the Persistence tactic and the T1098 technique.
