Query Details
O Auth Delegated Permissions Grant
Query
//Query to find applications that have had delegated permissions granted to them //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where Category == "ApplicationManagement" | where OperationName has "Add delegated permission grant" | extend UpdatedPermissions = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))) | extend AppId = tostring(TargetResources[1].id) | project TimeGenerated, UpdatedPermissions, OperationName, AppId
Explanation
This query is searching for applications that have been granted delegated permissions. It uses the Azure Active Directory - Audit Logs data connector. It filters the logs for the "ApplicationManagement" category and the "Add delegated permission grant" operation. It then extracts the updated permissions and application ID from the logs and projects the time generated, updated permissions, operation name, and application ID.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogs,Category,OperationName,Adddelegatedpermissiongrant,UpdatedPermissions,TargetResources,modifiedProperties,newValue,AppId,TimeGenerated
Operators
| where==hasextendtostringparse_jsonTargetResourcesmodifiedPropertiesnewValueAppIdproject