KQL Search

Query Details

HomeAI ToolsDevice Query

O Auth Summarize Permission Grantedto Apps

Query

//Summarize the permissions granted to your Azure AD apps over the last year

//Data connector required for this query - Azure Active Directory - Audit Logs

//Find applications that have been deleted
let deletedapps=
AuditLogs
| where OperationName == "Remove service principal"
| extend ServicePrincipalId = tostring(TargetResources[0].id)
| project ServicePrincipalId;
let delegatedaccess=
    AuditLogs
    | where TimeGenerated > ago(365d)
    | where OperationName has "Add delegated permission grant"
    | extend x = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue)))
    | extend ['Permissions granted'] = split(x, ' ')
    | extend ServicePrincipalId = tostring(TargetResources[1].id)
    | extend ['Permission type'] = strcat("Delegated")
    | summarize arg_max(TimeGenerated, *) by ServicePrincipalId
//Exclude deleted applications
    | where ServicePrincipalId !in (deletedapps)
    | project
        TimeGenerated,
        ['Permission type'],
        ['Permissions granted'],
        ServicePrincipalId;
let appaccess=
    AuditLogs
    | where TimeGenerated > ago(365d)
    | where OperationName has "Add app role assignment to service principal"
    | extend x = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
    | extend ['Permissions granted'] = split(x, ' ')
    | extend ['Permission type'] = strcat("Application")
    | extend ServicePrincipalId = tostring(TargetResources[1].id)
    | summarize arg_max(TimeGenerated, *) by ServicePrincipalId
//Exclude deleted applications
    | where ServicePrincipalId !in (deletedapps)
    | project
        TimeGenerated,
        ServicePrincipalId,
        ['Permission type'],
        ['Permissions granted'];
union delegatedaccess, appaccess
| mv-expand ['Permissions granted']
| where isnotempty( ['Permissions granted'])
//Extend new permission field
| extend Permission = strcat(['Permission type']," - ",['Permissions granted'])
| summarize PermissionCount=count()by Permission
| sort by PermissionCount desc

Explanation

This query summarizes the permissions granted to Azure AD apps over the last year. It uses the Azure Active Directory - Audit Logs data connector.

First, it finds applications that have been deleted. Then, it retrieves delegated access permissions granted within the last year and excludes deleted applications. It also retrieves application access permissions granted within the last year and excludes deleted applications.

The results are combined and expanded to show each individual permission granted. Finally, the permissions are counted and sorted in descending order based on the number of occurrences.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AuditLogs

Keywords

AzureAD,Apps,AuditLogs,Deleted,DelegatedPermissionGrant,PermissionType,PermissionsGranted,ServicePrincipal,TimeGenerated,Application,AppRoleAssignment

Operators

letwhereextendtostringparse_jsonsplitstrcatsummarizearg_maxinprojectunionmv-expandisnotemptycountsort

Actions