Query Details
Modifications To Application Management Policy For Entra App Registrations
Query
// This query looks for modifications to ApplicationManagementPolicy which could be someone attempting to bypass an app management policy that blocks client secrets being used for an app registration AuditLogs | where OperationName == "Add policy" | where TargetResources[0].displayName == "ApplicationManagementPolicy" //Ref https://learn.microsoft.com/en-us/graph/api/tenantappmanagementpolicy-update?view=graph-rest-1.0&tabs=http
Explanation
This query is searching through audit logs to find any instances where a new policy has been added specifically to the "ApplicationManagementPolicy." This could indicate an attempt to change the app management policy, potentially to bypass restrictions that prevent client secrets from being used in app registrations.
Details
Jay Kerai
Released: May 11, 2025
Tables
AuditLogs
Keywords
AuditLogsApplicationManagementPolicyAppManagementPolicyAppRegistrationClientSecrets
Operators
==[ ]|where