Query Details

Risk Based Step Up Consent RBSU For Application

Query

AuditLogs
| where OperationName == "Consent to application"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[5].displayName == "ConsentAction.Reason"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[5].newValue contains "Risky application detected"
//Risk Based Step up flow to Admin Flow. This will log even if the permissions being requested are already admin consentable.
//https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent?WT.mc_id=MVP_473477
//Ref: https://youtu.be/JBt-sB0qXqk?t=973

Explanation

This KQL (Kusto Query Language) query is designed to filter audit logs to identify specific instances where an application consent operation has occurred. Here's a simple breakdown of what the query does:

  1. AuditLogs: The query is run on the AuditLogs table, which contains records of various operations performed in the system.

  2. Filter by Operation Name: It first filters the logs to only include entries where the operation name is "Consent to application." This means it is looking for events where consent was given to an application.

  3. Parse and Filter by Modified Properties: The query then parses the modifiedProperties of the first target resource in the log entry. It specifically looks at the sixth element (index 5) of this parsed JSON array.

  4. Check for Specific Consent Reason: It checks if the displayName of this element is "ConsentAction.Reason" and if the newValue contains the phrase "Risky application detected." This means it is identifying consents that were given for applications flagged as risky.

  5. Comments: The comments in the query provide additional context:

    • It mentions that this is related to a "Risk Based Step up flow to Admin Flow," indicating that this process involves additional scrutiny or steps for risky applications, even if the permissions requested are already eligible for admin consent.
    • It provides links to documentation and a video for further reference on configuring risk-based step-up consent.

In summary, this query is used to find audit log entries where consent was given to applications identified as risky, providing insights into potentially sensitive or high-risk consent actions.

Details

Jay Kerai profile picture

Jay Kerai

Released: October 3, 2025

Tables

AuditLogs

Keywords

AuditLogsConsentApplicationTargetResourcesConsentActionReasonRiskyAdminPermissions

Operators

AuditLogs|where==parse_jsontostring[].contains

Actions

GitHub