Office Activity Exchange Scoping Policy Applied
Query
//Detect when a new scoping policy is applied, scoping policies are used to limit permissions to Exchange mailboxes being accessed via OAuth. They should be configured with least privilege
//Data connector required for this query - Office 365
OfficeActivity
| where Operation == "New-ApplicationAccessPolicy"
| extend GroupPolicyAppliedTo = tostring(parse_json(Parameters)[1].Value)
| extend AppId = tostring(parse_json(Parameters)[0].Value)
| extend AccessRight = tostring(parse_json(Parameters)[2].Value)
| project TimeGenerated, Actor=UserId, Operation, AccessRight, GroupPolicyAppliedTo, AppIdExplanation
This query detects when a new scoping policy is applied in Office 365. Scoping policies are used to limit permissions to Exchange mailboxes accessed via OAuth. The query retrieves information about the time the policy was applied, the user who applied it, the type of operation, the access rights granted, the group policy it was applied to, and the application ID.
Details

Matt Zorich
Released: June 17, 2022
Tables
OfficeActivity
Keywords
OfficeActivityOperationNew-ApplicationAccessPolicyGroupPolicyAppliedToAppIdAccessRightTimeGeneratedActorUserId
Operators
where==extendtostringparse_json[index]Valueproject