OAuth App Permissions Evaluation
O Auth App Evaluation
Query
let PermissionCount = OAuthAppInfo
| where AppStatus == "Enabled"
| mv-expand Permissions
| evaluate bag_unpack(Permissions, columnsConflict='keep_source')
| summarize arg_max(TimeGenerated, *) by OAuthAppId, PermissionValue
| summarize Num_PermissionofApp=count() by PermissionValue
| sort by Num_PermissionofApp desc;
OAuthAppInfo
| where AppStatus == "Enabled"
| mv-expand Permissions
| evaluate bag_unpack(Permissions, columnsConflict='keep_source')
| summarize arg_max(TimeGenerated, *) by OAuthAppId, PermissionValue
| extend Publisher=VerifiedPublisher.displayName
| join PermissionCount on PermissionValue
| project OAuthAppId, AppName, Publisher, AddedOnTime, LastModifiedTime, ConsentedUsersCount, PermissionType, PermissionValue, PrivilegeLevel, Num_PermissionofApp, AppOriginAbout this query
OAuth App Permissions Evaluation
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1528 | Abuse of OAuth Mechanisms | https://attack.mitre.org/techniques/T1528/ |
Description
This KQL query identifies all activated OAuth applications in the Microsoft 365 environment and analyses their permissions. It shows how often certain permissions occur in the environment and lists the applications with their publisher information, permission types and privilege levels. The goal is to identify potentially risky or overly privileged OAuth apps that could be exploited for attacks such as data exfiltration or privilege escalation.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This KQL query is designed to evaluate OAuth applications within a Microsoft 365 environment, focusing on their permissions. Here's a simplified breakdown of what the query does:
-
Identify Active OAuth Apps: The query first filters for OAuth applications that are currently enabled.
-
Analyze Permissions: It expands the list of permissions for each application and analyzes them to determine how frequently each permission is used across all apps.
-
Summarize Permission Usage: The query summarizes the data to count how many times each permission appears, sorting them by frequency in descending order. This helps identify the most commonly used permissions.
-
Detailed App Information: It then retrieves detailed information about each OAuth application, including the app's name, publisher, when it was added and last modified, the number of users who have consented to it, the type of permission, the privilege level, and the origin of the app.
-
Join and Project Data: Finally, it combines the permission frequency data with the detailed app information to provide a comprehensive view of each app's permissions and their potential risk level.
The goal of this query is to help identify OAuth applications that may have risky or excessive permissions, which could be exploited for malicious activities like data theft or unauthorized access escalation.
Details

Benjamin Zulliger
Released: December 3, 2025
Tables
Keywords
Operators
MITRE Techniques