Query Details

List .All MS Graph Permissions Added

All Graph Permissions Added

Query

AuditLogs
| where Category == "ApplicationManagement"
| where ActivityDisplayName in ("Add delegated permission grant", "Add app role assignment to service principal")
| mv-expand TargetResources
| where TargetResources.displayName == "Microsoft Graph"
| mv-expand TargetResources.modifiedProperties
| extend InitiatedByUserPrincipalName = InitiatedBy.user.userPrincipalName
| extend AddedPermission = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| extend IP = todynamic(InitiatedBy).user.ipAddress
| extend ServicePrincipalAppId = replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"','')
| where AddedPermission has ".All"
| project-reorder TimeGenerated, InitiatedByUserPrincipalName, ActivityDisplayName, AddedPermission, IP, ServicePrincipalAppId

About this query

List *.All MS Graph Permissions Added

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1098Account Manipulationhttps://attack.mitre.org/techniques/T1098/

Description

This rule detects the usage of *.All Microsoft Graph permissions that are added. *.All permissions should be scoped if possible, this ensures that the least privilege principle can still be applied. You should monitor for overpermissive applications and rare permissions that are added to applications.

Risk

*.All permissions are very permissive and should be limited, adversaries can use those credentials to access *.All data when those permissions are assigned.

References

Sentinel

Explanation

This query is designed to monitor and detect when highly permissive Microsoft Graph permissions, specifically those ending in ".All", are added to applications. Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at the AuditLogs data, specifically focusing on logs related to application management activities.

  2. Activity Filtering: It filters the logs to find activities where either a delegated permission grant is added or an app role assignment is made to a service principal. These activities indicate changes in permissions.

  3. Target Resource: The query further narrows down the results to activities involving the "Microsoft Graph" service, which is a key API for accessing Microsoft 365 data.

  4. Permission Extraction: It extracts and examines the permissions that were added. The query specifically looks for permissions that include ".All", which are very broad and allow access to all data of a certain type.

  5. User and IP Information: It captures the user who initiated the change and their IP address, providing context on who made the change and from where.

  6. Service Principal Information: It also captures the application ID of the service principal to which the permissions were added.

  7. Output: The query organizes the output to show the time of the event, the user who initiated it, the activity type, the added permission, the user's IP address, and the service principal's application ID.

The overall goal of this query is to help identify potentially risky permission changes that could lead to over-permissive access, which might be exploited by adversaries. By monitoring these changes, organizations can ensure they adhere to the principle of least privilege, reducing the risk of unauthorized data access.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 9, 2025

Tables

AuditLogs

Keywords

AuditLogsApplicationManagementMicrosoftGraphInitiatedByUserPrincipalNameAddedPermissionIPServicePrincipalAppId

Operators

AuditLogswhereinmv-expandextendreplace_stringtostringtodynamichasproject-reorder

MITRE Techniques

Actions

GitHub