Query Details

List .All MS Graph Permissions Added by application.

Total All Graph Permissions Added

Query

AuditLogs
| where Category == "ApplicationManagement"
| where ActivityDisplayName in ("Add delegated permission grant", "Add app role assignment to service principal")
| mv-expand TargetResources
| where TargetResources.displayName == "Microsoft Graph"
| mv-expand TargetResources.modifiedProperties
| extend InitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend AddedPermission = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| extend IP = tostring(todynamic(InitiatedBy).user.ipAddress)
| extend ServicePrincipalAppId = iff(OperationName == "Add delegated permission grant", replace_string(tostring(todynamic(TargetResources).modifiedProperties[2].newValue),'"','') , replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"',''))
| where AddedPermission endswith ".All"
| summarize Permissions = make_set(AddedPermission) by ServicePrincipalAppId, IP, InitiatedByUserPrincipalName
| extend TotalPermissions = array_length(Permissions)
| project TotalPermissions, ServicePrincipalAppId, InitiatedByUserPrincipalName, IP, Permissions
| sort by TotalPermissions

About this query

List *.All MS Graph Permissions Added by application.

Query Information

Description

This rule detects the usage of *.All Microsoft Graph permissions that are added. *.All permissions should be scoped if possible, this ensures that the least privilege principle can still be applied. You should monitor for overpermissive applications and rare permissions that are added to applications. This query summarize the results for each ServicePrincipalAppId, especially applications that have been granted multiple *.All permissions should be investigated.

Risk

*.All permissions are very permissive and should be limited, adversaries can use those credentials to access *.All data when those permissions are assigned.

References

Sentinel

Explanation

This query is designed to identify and list Microsoft Graph permissions that end with ".All" and have been added to applications. These permissions are highly permissive and should be used cautiously to adhere to the principle of least privilege. Here's a simplified breakdown of what the query does:

  1. Source of Data: It starts by examining the AuditLogs table, specifically looking for logs related to application management activities.

  2. Filter Activities: It filters the logs to focus on two specific activities: "Add delegated permission grant" and "Add app role assignment to service principal". These activities indicate when permissions are granted to applications.

  3. Targeting Microsoft Graph: It further narrows down the logs to those where the target resource is "Microsoft Graph", ensuring that only relevant permissions are considered.

  4. Extracting Details: The query extracts various details such as:

    • The user who initiated the permission addition (InitiatedByUserPrincipalName).
    • The specific permission that was added (AddedPermission).
    • The IP address from which the action was initiated (IP).
    • The application ID to which the permission was granted (ServicePrincipalAppId).
  5. *Filtering for .All Permissions: It specifically looks for permissions that end with ".All", which are considered highly permissive.

  6. Summarizing Results: The query summarizes the results by grouping them based on the application ID, IP address, and the user who initiated the action. It creates a set of all permissions added for each application.

  7. Counting Permissions: It calculates the total number of ".All" permissions added for each application.

  8. Output: Finally, it projects the total number of permissions, application ID, user who initiated the action, IP address, and the list of permissions. The results are sorted by the total number of permissions to highlight applications with multiple ".All" permissions.

The purpose of this query is to help identify applications that may have been granted excessive permissions, which could pose a security risk if misused.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

AuditLogs

Keywords

AuditLogsApplicationManagementMicrosoftGraphPermissionsServicePrincipalAppIdIPInitiatedByUserPrincipalName

Operators

whereinmv-expandextendtostringreplace_stringiffendswithsummarizemake_setarray_lengthprojectsort by

Actions

GitHub