← Back to Explore
kqlHunting
MCP Server Registered to Entra
| where parse_json(TargetResources)["0.displayName"] == 'Microsoft MCP Server for Enterprise' //Example https://learn.microsoft.com/en-us/graph/mcp-server/get-started?tabs=http%2Cvscode
Detection Query
AuditLogs
| where ActivityDisplayName contains "permission grant"
//| where parse_json(TargetResources)["0.displayName"] == 'Microsoft MCP Server for Enterprise' //Example https://learn.microsoft.com/en-us/graph/mcp-server/get-started?tabs=http%2Cvscode
| where tostring(parse_json(TargetResources)[0].modifiedProperties) contains "MCP." //MCP permissions have MCP. prefix, for example "MCP.AccessReview.Read.All, MCP.AdministrativeUnit.Read.All, MCP.Application.Read.All"Data Sources
AuditLogs
Platforms
azure-ad
Tags
entra
Raw Content
AuditLogs
| where ActivityDisplayName contains "permission grant"
//| where parse_json(TargetResources)["0.displayName"] == 'Microsoft MCP Server for Enterprise' //Example https://learn.microsoft.com/en-us/graph/mcp-server/get-started?tabs=http%2Cvscode
| where tostring(parse_json(TargetResources)[0].modifiedProperties) contains "MCP." //MCP permissions have MCP. prefix, for example "MCP.AccessReview.Read.All, MCP.AdministrativeUnit.Read.All, MCP.Application.Read.All"