← Back to Explore
kqlHunting
Risk Based Step Up Consent (RBSU) for Application
Risk Based Step up flow to Admin Flow. This will log even if the permissions being requested are already admin consentable.
Detection Query
AuditLogs
| where OperationName == "Consent to application"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[5].displayName == "ConsentAction.Reason"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[5].newValue contains "Risky application detected"
//Risk Based Step up flow to Admin Flow. This will log even if the permissions being requested are already admin consentable.
//https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent?WT.mc_id=MVP_473477
//Ref: https://youtu.be/JBt-sB0qXqk?t=973Data Sources
AuditLogs
Platforms
azure-ad
Tags
entra
Raw Content
AuditLogs
| where OperationName == "Consent to application"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[5].displayName == "ConsentAction.Reason"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[5].newValue contains "Risky application detected"
//Risk Based Step up flow to Admin Flow. This will log even if the permissions being requested are already admin consentable.
//https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent?WT.mc_id=MVP_473477
//Ref: https://youtu.be/JBt-sB0qXqk?t=973