MDA O Auth App Disabled
Query
AuditLogs
| where Identity == "MAPG" //My Guess is this is Microsoft Application Goverance
| where OperationName == "Update service principal"
| where Category == "ApplicationManagement"
| where parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0] == false and parse_json(tostring(TargetResources[0].modifiedProperties))[0].displayName == "AccountEnabled"
//In the background MDA Disables the SP preventing application Permission and disables the app for user sign-in preventing delegated permissionsExplanation
This query is searching through audit logs to find specific events related to a service principal (a type of security identity used by applications or services to access specific resources). Here's a breakdown of what the query does:
-
AuditLogs: This is the dataset being queried, which contains logs of various actions and changes.
-
Filter by Identity: The query looks for logs where the
Identityis "MAPG". You guessed this might stand for Microsoft Application Governance, which seems reasonable given the context. -
Filter by Operation: It further narrows down the logs to those where the
OperationNameis "Update service principal". This means it's looking for events where a service principal was updated. -
Filter by Category: The query also specifies that the
Categoryshould be "ApplicationManagement", focusing on logs related to application management activities. -
Check Modified Properties: The query examines the
modifiedPropertiesof theTargetResourcesto find entries where:- The
newValueof the first modified property isfalse, and - The
displayNameof this property is "AccountEnabled".
This indicates that the account (service principal) was disabled.
- The
In summary, this query identifies logs where a service principal associated with Microsoft Application Governance was updated, specifically focusing on instances where the account was disabled. This action likely prevents the application from accessing permissions and stops user sign-ins, affecting both application and delegated permissions.
Details

Jay Kerai
Released: April 12, 2025
Tables
Keywords
Operators