Query Details
O Auth Application Permissions Grant
Query
//Query to find applications that have had application permissions granted to them //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where OperationName has "Add app role assignment to service principal" | extend UpdatedPermission = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))) | extend AppName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue))) | extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend AppId = tostring(TargetResources[1].id) | project TimeGenerated, OperationName, UpdatedPermission, AppName, AppId, User
Explanation
This query is used to find applications that have been granted application permissions. It requires the Azure Active Directory - Audit Logs data connector. The query filters the audit logs for the operation of adding an app role assignment to a service principal. It then extracts the updated permission, application name, user, and application ID from the audit logs. The final result includes the time generated, operation name, updated permission, application name, application ID, and user.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogs,OperationName,Addapproleassignmenttoserviceprincipal,UpdatedPermission,TargetResources,modifiedProperties,newValue,AppName,User,InitiatedBy,userPrincipalName,AppId,TimeGenerated
Operators
wherehasextendtostringparse_jsonTargetResourcesmodifiedPropertiesnewValueTimeGeneratedOperationNameUpdatedPermissionAppNameUserproject