Query Details

Modifications To Application Management Policy For Entra App Registrations

Query

// This query looks for modifications to ApplicationManagementPolicy which could be someone attempting to bypass an app management policy that blocks client secrets being used for an app registration
AuditLogs
| where OperationName == "Add policy"
| where TargetResources[0].displayName == "ApplicationManagementPolicy"
//Ref https://learn.microsoft.com/en-us/graph/api/tenantappmanagementpolicy-update?view=graph-rest-1.0&tabs=http?WT.mc_id=MVP_473477

Explanation

This query is searching through audit logs to find instances where a new policy was added, specifically targeting the "ApplicationManagementPolicy." The purpose is to identify any changes that might indicate someone is trying to bypass a policy that prevents the use of client secrets in app registrations.

Details

Jay Kerai profile picture

Jay Kerai

Released: October 3, 2025

Tables

AuditLogs

Keywords

AuditLogsOperationNameTargetResourcesDisplayNameApplicationManagementPolicyAppManagementPolicyClientSecretsRegistration

Operators

AuditLogs|where==

Actions

GitHub