KQL Search

This KQL query is designed to help you audit and analyze OAuth applications that have been granted admin consent but may have unnecessary permissions. Here's a simple breakdown of what the query does:

1. Data Source: It starts by looking at a dataset called OAuthAppInfo, which contains information about OAuth applications and their permissions.

2. Expand Permissions: The query uses mv-expand to break out the list of permissions for each application into individual entries, so each permission can be analyzed separately.

3. Filter Unused Permissions: It filters the data to find permissions that are not currently in use (Permissions.InUse == false).

4. Admin Consented and Enabled Apps: It further narrows down the results to applications that have been granted admin consent (IsAdminConsented == 1) and are currently enabled (AppStatus == "Enabled").

5. Summarize Results: Finally, it summarizes the data by counting the number of unused permissions for each application. The results are grouped by the application name, the display name of the target application for the permission, and the specific permission value.

In essence, this query helps identify and count unused permissions in admin-consented and enabled OAuth applications, which can help in reducing overprivileged access and enhancing security by following the principle of least privilege.