Query Details

Modify Credentials Entra Connect App Identity

Query

let EntraConnectAppIdentities = OAuthAppInfo
| where parse_json(Permissions) has 'ADSynchronization.ReadWrite.All'
| summarize by AppName;
  AuditLogs
  | where OperationName has_any ("Add service principal", "Certificates and secrets management", "Update application")
  | where Result =~ "success"
  | mv-apply TargetResource = TargetResources on 
      (
      where TargetResource.type =~ "Application" or TargetResource.type =~ "ServicePrincipal"
      | extend
          TargetName = tostring(TargetResource.displayName),
          TargetObjectType = tostring(TargetResource.type),          
          ResourceId = tostring(TargetResource.id),
          AddedKeyEvent = TargetResource.modifiedProperties
      )
| where TargetName in~ (EntraConnectAppIdentities)
| extend InitiatingBy = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend InitiatingUserOrAppId = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.id), tostring(InitiatedBy.app.servicePrincipalId))
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
  | mv-apply Property = AddedKeyEvent on 
      (
      where Property.displayName =~ "KeyDescription" or Property.displayName =~ "FederatedIdentityCredentials"
      | extend
          NewValue = parse_json(tostring(Property.newValue)),
          OldValue = parse_json(tostring(Property.oldValue))
      )
  | extend diff = set_difference(NewValue, OldValue)
  | parse diff with * "KeyIdentifier=" keyIdentifier: string ",KeyType=" keyType: string ",KeyUsage=" keyUsage: string ",DisplayName=" keyDisplayName: string "]" *
| project ActivityDateTime, ActivityDisplayName, CorrelationId, Result, TargetName, TargetObjectType, InitiatingBy, InitiatingIpAddress, AddedKeyEvent, AddedKeyId = keyIdentifier, OldValue, NewValue

Explanation

This KQL query is designed to track and analyze specific changes made to applications or service principals within an Azure environment, focusing on those with certain permissions. Here's a simplified breakdown of what the query does:

  1. Identify Applications with Specific Permissions:

    • It first identifies applications that have the ADSynchronization.ReadWrite.All permission by querying the OAuthAppInfo table.
    • It summarizes these applications by their names, storing them in a variable called EntraConnectAppIdentities.
  2. Filter Audit Logs for Specific Operations:

    • It then queries the AuditLogs table to find logs related to operations like "Add service principal", "Certificates and secrets management", and "Update application".
    • It only considers logs where the operation was successful.
  3. Extract and Filter Target Resources:

    • For each log entry, it examines the TargetResources to find those of type "Application" or "ServicePrincipal".
    • It extracts details such as the target's name, type, and ID, and checks if the target name is in the list of identified applications (EntraConnectAppIdentities).
  4. Identify Initiator Details:

    • It determines who initiated the operation, whether it was a user or an application, and records their ID and IP address.
  5. Analyze Modified Properties:

    • It looks into the modified properties of the target resources, specifically focusing on changes related to "KeyDescription" or "FederatedIdentityCredentials".
    • It compares the new and old values of these properties to identify differences.
  6. Extract Key Details:

    • It parses the differences to extract details like KeyIdentifier, KeyType, KeyUsage, and DisplayName.
  7. Project Relevant Information:

    • Finally, it projects a set of relevant information including the date and time of the activity, the activity name, correlation ID, result, target details, initiator details, and the added key information.

In summary, this query is used to monitor and analyze changes to applications or service principals that have specific permissions, focusing on key management activities and identifying who initiated these changes.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: July 3, 2025

Tables

OAuthAppInfoAuditLogs

Keywords

OAuthAppInfoAuditLogsApplicationServicePrincipalKeyDescriptionFederatedIdentityCredentials

Operators

lethassummarize bywherehas_any=~mv-applyonextendtostringin~iffisnotemptyparse_jsonset_differenceparsewithproject

Actions

GitHub