KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Top20appswithno CA

Query

//Find the top 20 most popular applications in your tenant that have had no Conditional Access policies (success or failure) applied

//Data connector required for this query - Azure Active Directory - Signin Logs

let apps=
    SigninLogs
    | where TimeGenerated > ago (30d)
    | project TimeGenerated, ConditionalAccessPolicies, AppDisplayName
//Exclude native Microsoft apps that you can't enforce policy on or that are covered natively in Office 365
    | where AppDisplayName !in ("Microsoft Office Web Apps Service", "Microsoft App Access Panel", "Office Online Core SSO", "Microsoft Authentication Broker", "Microsoft Account Controls V2", "Microsoft 365 Support Service","Office Online Maker SSO","My Apps","My Profile")
    | mv-expand ConditionalAccessPolicies
    | extend CAResult = tostring(ConditionalAccessPolicies.result)
    | summarize ResultSet=make_set(CAResult) by AppDisplayName
    | where ResultSet !has "success" or ResultSet !has "failure"
    | project AppDisplayName;
SigninLogs
| where TimeGenerated > ago(30d)
| where ResultType == 0
| where AppDisplayName in (apps)
| summarize Count=count()by AppDisplayName
| top 20 by Count

Explanation

This query finds the top 20 most popular applications in your tenant that have not had any Conditional Access policies (success or failure) applied. It uses the Azure Active Directory - Signin Logs data connector. The query filters out native Microsoft apps and expands the Conditional Access Policies column. It then summarizes the results and filters out apps with "success" or "failure" in the Conditional Access Policies. Finally, it counts the number of sign-ins for each app and returns the top 20 apps based on the count.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogs

Keywords

Applications,ConditionalAccessPolicies,Success,Failure,AzureActiveDirectory,SigninLogs,TimeGenerated,AppDisplayName,MicrosoftOfficeWebAppsService,MicrosoftAppAccessPanel,OfficeOnlineCoreSSO,MicrosoftAuthenticationBroker,MicrosoftAccountControlsV2,Microsoft365SupportService,OfficeOnlineMakerSSO,MyApps,MyProfile,ResultType,Count

Operators

whereprojectmv-expandextendsummarizebyhasintop

Actions