Query Details
MCP Server Registered To Entra
Query
AuditLogs | where ActivityDisplayName contains "permission grant" //| where parse_json(TargetResources)["0.displayName"] == 'Microsoft MCP Server for Enterprise' //Example https://learn.microsoft.com/en-us/graph/mcp-server/get-started?tabs=http%2Cvscode | where tostring(parse_json(TargetResources)[0].modifiedProperties) contains "MCP." //MCP permissions have MCP. prefix, for example "MCP.AccessReview.Read.All, MCP.AdministrativeUnit.Read.All, MCP.Application.Read.All"
Explanation
This query is searching through audit logs to find specific events related to permission grants. Here's a breakdown of what it does:
-
AuditLogs: It starts by looking at the audit logs data.
-
Filter by Activity: It filters the logs to only include entries where the activity name contains the phrase "permission grant". This means it's specifically interested in events where permissions were granted.
-
Commented Line: There's a commented-out line (indicated by
//) that suggests an additional filter could be applied to only include entries where the target resource's display name is 'Microsoft MCP Server for Enterprise'. However, this line is not currently active in the query. -
Filter by Modified Properties: It further filters the logs to include only those entries where the modified properties of the target resources contain the prefix "MCP.". This indicates that the query is looking for permission changes related to MCP (Microsoft Cloud Platform) permissions, which have names starting with "MCP.".
In summary, the query is designed to find audit log entries related to the granting of MCP-related permissions.
Details
Jay Kerai
Released: February 5, 2026
Tables
Keywords
Operators