List .All MS Graph Permissions Added by application.
Total All Graph Permissions Added
Query
AuditLogs
| where Category == "ApplicationManagement"
| where ActivityDisplayName in ("Add delegated permission grant", "Add app role assignment to service principal")
| mv-expand TargetResources
| where TargetResources.displayName == "Microsoft Graph"
| mv-expand TargetResources.modifiedProperties
| extend InitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend AddedPermission = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| extend IP = tostring(todynamic(InitiatedBy).user.ipAddress)
| extend ServicePrincipalAppId = iff(OperationName == "Add delegated permission grant", replace_string(tostring(todynamic(TargetResources).modifiedProperties[2].newValue),'"','') , replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"',''))
| where AddedPermission endswith ".All"
| summarize Permissions = make_set(AddedPermission) by ServicePrincipalAppId, IP, InitiatedByUserPrincipalName
| extend TotalPermissions = array_length(Permissions)
| project TotalPermissions, ServicePrincipalAppId, InitiatedByUserPrincipalName, IP, Permissions
| sort by TotalPermissionsAbout this query
List *.All MS Graph Permissions Added by application.
Query Information
Description
This rule detects the usage of *.All Microsoft Graph permissions that are added. *.All permissions should be scoped if possible, this ensures that the least privilege principle can still be applied. You should monitor for overpermissive applications and rare permissions that are added to applications. This query summarize the results for each ServicePrincipalAppId, especially applications that have been granted multiple *.All permissions should be investigated.
Risk
*.All permissions are very permissive and should be limited, adversaries can use those credentials to access *.All data when those permissions are assigned.
References
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://github.com/f-bader/AzSentinelQueries/blob/master/HuntingQueries/GrantHighPrivilegeMicrosoftGraphPermissions.yaml
- *.All Graph Permissions Added
Sentinel
Explanation
This query is designed to identify and list Microsoft Graph permissions that end with ".All" and have been added to applications. These permissions are highly permissive and should be used cautiously to adhere to the principle of least privilege. Here's a simplified breakdown of what the query does:
-
Source of Data: It starts by examining the
AuditLogstable, specifically looking for logs related to application management activities. -
Filter Activities: It filters the logs to focus on two specific activities: "Add delegated permission grant" and "Add app role assignment to service principal". These activities indicate when permissions are granted to applications.
-
Targeting Microsoft Graph: It further narrows down the logs to those where the target resource is "Microsoft Graph", ensuring that only relevant permissions are considered.
-
Extracting Details: The query extracts various details such as:
- The user who initiated the permission addition (
InitiatedByUserPrincipalName). - The specific permission that was added (
AddedPermission). - The IP address from which the action was initiated (
IP). - The application ID to which the permission was granted (
ServicePrincipalAppId).
- The user who initiated the permission addition (
-
*Filtering for .All Permissions: It specifically looks for permissions that end with ".All", which are considered highly permissive.
-
Summarizing Results: The query summarizes the results by grouping them based on the application ID, IP address, and the user who initiated the action. It creates a set of all permissions added for each application.
-
Counting Permissions: It calculates the total number of ".All" permissions added for each application.
-
Output: Finally, it projects the total number of permissions, application ID, user who initiated the action, IP address, and the list of permissions. The results are sorted by the total number of permissions to highlight applications with multiple ".All" permissions.
The purpose of this query is to help identify applications that may have been granted excessive permissions, which could pose a security risk if misused.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators