Graph Activity From First Party Apps
Query
// Get a list of first party apps with activity to Microsoft Graph and enriched classification
let SensitiveMsGraphPermissions = externaldata(AppId: guid, AppRoleId: guid, AppRoleDisplayName: string, Category: string, EAMTierLevelName: string, EAMTierLevelTagValue: string)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_MsGraphAppRoles.json"] with (format='multijson')
| where isnotempty(EAMTierLevelName)
// Optional: Filtering for Control Plane only
//| where EAMTierLevelName == "ControlPlane"
| distinct AppRoleDisplayName;
_GetWatchlist('WorkloadIdentityInfo')
| where IsFirstPartyApp == "true"
| extend Identity = tostring(ServicePrincipalObjectId)
| join kind=inner (
MicrosoftGraphActivityLogs
| where TimeGenerated >ago(365d)
| where Roles has_any (SensitiveMsGraphPermissions)
| extend Roles = split(Roles, ' ')
| extend Identity = ServicePrincipalId
) on Identity
| summarize AppRoleScope = make_set( Roles ), TotalResponseSizeBytes = sum(ResponseSizeBytes) by AppDisplayName, ServicePrincipalObjectId, AppId, AppOwnerTenantId, ServicePrincipalType, SignInAudienceExplanation
This query is designed to identify and summarize first-party applications that have interacted with Microsoft Graph, focusing on those with specific sensitive permissions. Here's a breakdown of what the query does:
-
Load Sensitive Permissions Data: It starts by loading a dataset of sensitive Microsoft Graph permissions from an external JSON source. This dataset includes details like App IDs, Role IDs, Role Display Names, Categories, and Tier Levels.
-
Filter Sensitive Permissions: It filters this dataset to include only those entries where the "EAMTierLevelName" is not empty, indicating that these permissions have been classified with a tier level.
-
Identify First-Party Apps: The query then retrieves a list of first-party applications from a watchlist named 'WorkloadIdentityInfo'. These are applications developed by Microsoft or the organization itself.
-
Join with Activity Logs: It joins this list of first-party apps with Microsoft Graph activity logs from the past year. The join is based on the identity of the service principal (a unique identifier for the application).
-
Filter by Sensitive Permissions: The query filters the activity logs to include only those activities where the roles (permissions) used match any of the sensitive permissions identified earlier.
-
Summarize Activity: Finally, it summarizes the data by compiling a set of roles (permissions) used by each application and calculating the total response size in bytes for these activities. The summary is grouped by application display name, service principal object ID, app ID, app owner tenant ID, service principal type, and sign-in audience.
In simple terms, this query identifies first-party applications that have used sensitive Microsoft Graph permissions over the past year and provides a summary of their activity, including the permissions used and the total data exchanged.
Details

Thomas Naunheim
Released: June 8, 2026
Tables
Keywords
Operators