O Auth Appor Delegated Access Granted

//Detect when either application or delegated access is granted to a service principal in Azure AD //Data connector required for this query - Azure Active Directory - Audit Logs let delegatedaccess= AuditLogs | where OperationName has "Add delegated permission grant" | extend x = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))) | extend ['Permissions granted'] = split(x, ' ') | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ['Service Principal ObjectId'] = tostring(TargetResources[1].id) | extend Activity = strcat("Delegated access added to application") | project TimeGenerated, Activity, ['Permissions granted'], ['Service Principal ObjectId'], Actor; let appaccess= AuditLogs | where OperationName has "Add app role assignment to service principal" | extend x = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))) | extend ['Permissions granted'] = split(x, ' ') | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend Activity = strcat("Application access added to application") | extend ['Service Principal ObjectId'] = tostring(TargetResources[1].id) | project TimeGenerated, Activity, ['Permissions granted'], ['Service Principal ObjectId'], Actor; union delegatedaccess, appaccess

Explanation

This query detects when either application or delegated access is granted to a service principal in Azure AD. It uses the Azure Active Directory - Audit Logs data connector. The query retrieves audit logs for adding delegated permission grants and app role assignments to service principals. It extracts the relevant information such as the permissions granted, the service principal object ID, and the actor who initiated the action. The results are then combined using the union operator.

KQL Search

O Auth Appor Delegated Access Granted

Query

Explanation

Details

Actions