KQL Search

Query Details

HomeAI ToolsDevice Query

HQ 003 O Auth Consent Grants Multi App

Query

// =========================================================================
// HQ-003: OAuth Consent Grants – Actors with Multiple App Consents
// =========================================================================
// Description : Surfaces users or service principals that consented to,
//               or granted delegated permissions for, multiple applications
//               within the last 7 days. Token-abuse tools (TokenTactics,
//               ROADtools) often consent to custom apps to obtain broad
//               delegated tokens. Also covers admin-consent phishing.
// MITRE ATT&CK: TA0006 Credential Access
//               T1528 – Steal Application Access Token
// Tools       : TokenTactics, ROADtools, AADInternals
// Severity    : Medium
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================

AuditLogs
| where TimeGenerated > ago(7d)
| where ActivityDisplayName in (
    "Consent to application",
    "Add delegated permission grant",
    "Add app role assignment to service principal")
| extend InitiatedByUPN  = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByUser = tostring(InitiatedBy.user.displayName)
| extend InitiatedByApp  = tostring(InitiatedBy.app.displayName)
| extend Actor           = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetApp       = tostring(TargetResources[0].displayName)
| extend TargetAppId     = tostring(TargetResources[0].id)
| extend PermDetail      = tostring(AdditionalDetails)
| summarize
    ConsentCount      = count(),
    AppsConsented     = make_set(TargetApp, 20),
    AppIds            = make_set(TargetAppId, 20),
    Operations        = make_set(ActivityDisplayName),
    FirstConsent      = min(TimeGenerated),
    LastConsent       = max(TimeGenerated),
    CorrelationIds    = make_set(CorrelationId, 5)
    by Actor
| where ConsentCount >= 2 or array_length(AppsConsented) >= 2
| extend DaysBetween = datetime_diff('day', LastConsent, FirstConsent)
| order by ConsentCount desc

Explanation

This query is designed to identify users or service principals in Azure Active Directory who have consented to or granted permissions for multiple applications within the past week. This is important because malicious tools might exploit such consents to gain unauthorized access. The query checks the audit logs for specific activities related to application consents and permissions. It then groups the data by the actor (either a user or an application) and summarizes the number of consents, the applications involved, and the time frame of these activities. The results are filtered to show only those actors who have consented to at least two applications, indicating potential security risks. The output is sorted by the number of consents in descending order to highlight the most active actors.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureActiveDirectoryUsersServicePrincipalsApplicationsTokensPermissionsAdmins

Operators

AuditLogswhereinextendtostringiffisnotemptysummarizecountmake_setminmaxbyorarray_lengthdatetime_difforder bydesc

Actions