Modify Credentials Entra Connect App Identity

let EntraConnectAppIdentities = OAuthAppInfo | where parse_json(Permissions) has 'ADSynchronization.ReadWrite.All' | summarize by AppName; AuditLogs | where OperationName has_any ("Add service principal", "Certificates and secrets management", "Update application") | where Result =~ "success" | mv-apply TargetResource = TargetResources on ( where TargetResource.type =~ "Application" or TargetResource.type =~ "ServicePrincipal" | extend TargetName = tostring(TargetResource.displayName), TargetObjectType = tostring(TargetResource.type), ResourceId = tostring(TargetResource.id), AddedKeyEvent = TargetResource.modifiedProperties ) | where TargetName in~ (EntraConnectAppIdentities) | extend InitiatingBy = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName)) | extend InitiatingUserOrAppId = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.id), tostring(InitiatedBy.app.servicePrincipalId)) | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress)) | mv-apply Property = AddedKeyEvent on ( where Property.displayName =~ "KeyDescription" or Property.displayName =~ "FederatedIdentityCredentials" | extend OldValue = parse_json(tostring(Property.newValue)), NewValue = parse_json(tostring(Property.oldValue)) ) | extend diff = set_difference(NewValue, OldValue) | parse diff with * "KeyIdentifier=" keyIdentifier: string ",KeyType=" keyType: string ",KeyUsage=" keyUsage: string ",DisplayName=" keyDisplayName: string "]" * | project ActivityDateTime, ActivityDisplayName, CorrelationId, Result, TargetName, TargetObjectType, InitiatingBy, InitiatingIpAddress, AddedKeyEvent, AddedKeyId = keyIdentifier, OldValue, NewValue

Explanation

This query is designed to track and analyze changes made to certain Azure AD applications or service principals, specifically those with the permission 'ADSynchronization.ReadWrite.All'. Here's a simplified breakdown of what the query does:

Identify Relevant Applications:
- It first identifies applications that have the 'ADSynchronization.ReadWrite.All' permission by filtering the OAuthAppInfo table. The application names are stored in a variable called EntraConnectAppIdentities.
Filter Audit Logs:
- It then looks at the AuditLogs table for successful operations related to adding service principals, managing certificates and secrets, or updating applications.
Extract Target Resources:
- For each relevant log entry, it extracts details about the target resource, specifically if it is an application or service principal. It captures the display name, type, ID, and any modified properties.
Match with Identified Applications:
- It checks if the target resource's name matches any of the applications identified in the first step.
Capture Initiator Details:
- It captures details about who initiated the action, including their user principal name or application display name, user ID or service principal ID, and IP address.
Analyze Modified Properties:
- For each modified property, it checks if the property is related to "KeyDescription" or "FederatedIdentityCredentials". It then parses the old and new values of these properties.
Calculate Differences:
- It calculates the differences between the old and new values to identify what specifically changed.
Extract Key Details:
- It extracts specific details about the key changes, such as the key identifier, type, usage, and display name.
Project Results:
- Finally, it projects a set of columns that include the date and time of the activity, the activity name, correlation ID, result, target name and type, initiator details, and details about the added key event.

This query is useful for auditing and monitoring changes to critical applications or service principals in Azure AD, especially those with synchronization permissions, to ensure security and compliance.

KQL Search

Modify Credentials Entra Connect App Identity

Query

Explanation

Details

Actions