KQL Search

Query Details

HomeAI ToolsDevice Query

O Auth App Evaluation

Query

# *OAuth App Permissions Evaluation*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1528 | Abuse of OAuth Mechanisms | https://attack.mitre.org/techniques/T1528/ |


#### Description
This KQL query identifies all activated OAuth applications in the Microsoft 365 environment and analyses their permissions. It shows how often certain permissions occur in the environment and lists the applications with their publisher information, permission types and privilege levels. The goal is to identify potentially risky or overly privileged OAuth apps that could be exploited for attacks such as data exfiltration or privilege escalation.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References

## Defender XDR
```KQL
let PermissionCount = OAuthAppInfo 
| where AppStatus == "Enabled"
| mv-expand Permissions
| evaluate bag_unpack(Permissions, columnsConflict='keep_source')
| summarize arg_max(TimeGenerated, *) by OAuthAppId, PermissionValue
| summarize Num_PermissionofApp=count() by PermissionValue
| sort by Num_PermissionofApp desc;
OAuthAppInfo 
| where AppStatus == "Enabled"
| mv-expand Permissions
| evaluate bag_unpack(Permissions, columnsConflict='keep_source')
| summarize arg_max(TimeGenerated, *) by OAuthAppId, PermissionValue
| extend Publisher=VerifiedPublisher.displayName
| join PermissionCount on PermissionValue
| project OAuthAppId, AppName, Publisher, AddedOnTime, LastModifiedTime, ConsentedUsersCount, PermissionType, PermissionValue, PrivilegeLevel, Num_PermissionofApp, AppOrigin

```

Explanation

This KQL query is designed to evaluate OAuth applications within a Microsoft 365 environment, focusing on their permissions. Here's a simplified breakdown of what the query does:

  1. Identify Active OAuth Apps: The query first filters for OAuth applications that are currently enabled.

  2. Analyze Permissions: It expands the list of permissions for each application and analyzes them to determine how frequently each permission is used across all apps.

  3. Summarize Permission Usage: The query summarizes the data to count how many times each permission appears, sorting them by frequency in descending order. This helps identify the most commonly used permissions.

  4. Detailed App Information: It then retrieves detailed information about each OAuth application, including the app's name, publisher, when it was added and last modified, the number of users who have consented to it, the type of permission, the privilege level, and the origin of the app.

  5. Join and Project Data: Finally, it combines the permission frequency data with the detailed app information to provide a comprehensive view of each app's permissions and their potential risk level.

The goal of this query is to help identify OAuth applications that may have risky or excessive permissions, which could be exploited for malicious activities like data theft or unauthorized access escalation.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: December 3, 2025

Tables

OAuthAppInfo

Keywords

OAuthApplicationsMicrosoftEnvironmentPermissionsPublisherInformationPrivilegeLevelsDataExfiltrationPrivilegeEscalation

Operators

letwheremv-expandevaluatebag_unpacksummarizearg_maxbysortdescextendjoinonproject

Actions