List MS Graph Mail Permissions Added
Graph Mail Permissions
Query
AuditLogs
| where Category == "ApplicationManagement"
| where ActivityDisplayName in ("Add delegated permission grant", "Add app role assignment to service principal")
| mv-expand TargetResources
| where TargetResources.displayName == "Microsoft Graph"
| mv-expand TargetResources.modifiedProperties
| extend InitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend AddedPermission = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| extend IP = tostring(todynamic(InitiatedBy).user.ipAddress)
| extend ServicePrincipalAppId = iff(OperationName == "Add delegated permission grant", replace_string(tostring(todynamic(TargetResources).modifiedProperties[2].newValue),'"','') , replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"',''))
| where AddedPermission has_all ("Mail", ".")
| summarize Permissions = make_set(AddedPermission) by ServicePrincipalAppId, IP, InitiatedByUserPrincipalName
| extend TotalPermissions = array_length(Permissions)
| project TotalPermissions, ServicePrincipalAppId, InitiatedByUserPrincipalName, IP, Permissions
| sort by TotalPermissionsAbout this query
List MS Graph Mail Permissions Added
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1098.002 | Account Manipulation: Additional Email Delegate Permissions | https://attack.mitre.org/techniques/T1098/002/ |
Description
The Graph API can be used to read and send mail amongst other actions. Escpecially the Mail*.All permissions are very priviliged and should be scoped to a certain mailbox only (if possible). This query can both be used to assess the current added permissions as well as to detect malicious mail permission that are added to applications.
Risk
Adversaries can use applications to read sentitive mails or to send out malicious mails from your domain.
References
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://github.com/f-bader/AzSentinelQueries/blob/master/HuntingQueries/GrantHighPrivilegeMicrosoftGraphPermissions.yaml
- https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
Sentinel
Explanation
This query is designed to identify and list any added permissions related to Microsoft Graph Mail within an organization's environment. It focuses on detecting potentially risky permissions that allow applications to read or send emails, which could be exploited by adversaries.
Here's a simple breakdown of what the query does:
-
Data Source: It looks at audit logs specifically related to application management activities.
-
Activity Filtering: It filters for activities where delegated permissions are added or app role assignments are made to a service principal, focusing on those involving Microsoft Graph.
-
Permission Extraction: It extracts details about the permissions added, particularly those related to mail (permissions containing "Mail").
-
User and IP Information: It captures information about who initiated the action (user principal name) and from which IP address.
-
Service Principal Identification: It identifies the service principal application ID associated with the permission changes.
-
Permission Summary: It summarizes the permissions added, grouping them by service principal application ID, user, and IP address.
-
Output: The query outputs the total number of permissions added, along with details about the service principal, user, IP address, and the specific permissions.
-
Sorting: Finally, it sorts the results by the total number of permissions added to highlight potentially significant changes.
Overall, this query helps in assessing current mail permissions and detecting any unauthorized or malicious permissions that might have been added, which could pose a security risk.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators