Modify Credentials Entra Connect App Identity
Query
let EntraConnectAppIdentities = OAuthAppInfo
| where parse_json(Permissions) has 'ADSynchronization.ReadWrite.All'
| summarize by AppName;
AuditLogs
| where OperationName has_any ("Add service principal", "Certificates and secrets management", "Update application")
| where Result =~ "success"
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "Application" or TargetResource.type =~ "ServicePrincipal"
| extend
TargetName = tostring(TargetResource.displayName),
TargetObjectType = tostring(TargetResource.type),
ResourceId = tostring(TargetResource.id),
AddedKeyEvent = TargetResource.modifiedProperties
)
| where TargetName in~ (EntraConnectAppIdentities)
| extend InitiatingBy = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend InitiatingUserOrAppId = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.id), tostring(InitiatedBy.app.servicePrincipalId))
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| mv-apply Property = AddedKeyEvent on
(
where Property.displayName =~ "KeyDescription" or Property.displayName =~ "FederatedIdentityCredentials"
| extend
NewValue = parse_json(tostring(Property.newValue)),
OldValue = parse_json(tostring(Property.oldValue))
)
| extend diff = set_difference(NewValue, OldValue)
| parse diff with * "KeyIdentifier=" keyIdentifier: string ",KeyType=" keyType: string ",KeyUsage=" keyUsage: string ",DisplayName=" keyDisplayName: string "]" *
| project ActivityDateTime, ActivityDisplayName, CorrelationId, Result, TargetName, TargetObjectType, InitiatingBy, InitiatingIpAddress, AddedKeyEvent, AddedKeyId = keyIdentifier, OldValue, NewValueExplanation
This KQL query is designed to track and analyze specific changes made to applications or service principals within an Azure environment, focusing on those with certain permissions. Here's a simplified breakdown of what the query does:
-
Identify Applications with Specific Permissions:
- It first identifies applications that have the
ADSynchronization.ReadWrite.Allpermission by querying theOAuthAppInfotable. - It summarizes these applications by their names, storing them in a variable called
EntraConnectAppIdentities.
- It first identifies applications that have the
-
Filter Audit Logs for Specific Operations:
- It then queries the
AuditLogstable to find logs related to operations like "Add service principal", "Certificates and secrets management", and "Update application". - It only considers logs where the operation was successful.
- It then queries the
-
Extract and Filter Target Resources:
- For each log entry, it examines the
TargetResourcesto find those of type "Application" or "ServicePrincipal". - It extracts details such as the target's name, type, and ID, and checks if the target name is in the list of identified applications (
EntraConnectAppIdentities).
- For each log entry, it examines the
-
Identify Initiator Details:
- It determines who initiated the operation, whether it was a user or an application, and records their ID and IP address.
-
Analyze Modified Properties:
- It looks into the modified properties of the target resources, specifically focusing on changes related to "KeyDescription" or "FederatedIdentityCredentials".
- It compares the new and old values of these properties to identify differences.
-
Extract Key Details:
- It parses the differences to extract details like
KeyIdentifier,KeyType,KeyUsage, andDisplayName.
- It parses the differences to extract details like
-
Project Relevant Information:
- Finally, it projects a set of relevant information including the date and time of the activity, the activity name, correlation ID, result, target details, initiator details, and the added key information.
In summary, this query is used to monitor and analyze changes to applications or service principals that have specific permissions, focusing on key management activities and identifying who initiated these changes.
Details

Thomas Naunheim
Released: July 3, 2025
Tables
Keywords
Operators