EXPLORE
Sign In
← Back to Explore
kqlHunting

Modifications To ApplicationManagementPolicy for Entra App Registrations

This query looks for modifications to ApplicationManagementPolicy which could be someone attempting to bypass an app management policy that blocks client secrets being used for an app registration

Detection Query

// This query looks for modifications to ApplicationManagementPolicy which could be someone attempting to bypass an app management policy that blocks client secrets being used for an app registration
AuditLogs
| where OperationName == "Add policy"
| where TargetResources[0].displayName == "ApplicationManagementPolicy"
//Ref https://learn.microsoft.com/en-us/graph/api/tenantappmanagementpolicy-update?view=graph-rest-1.0&tabs=http?WT.mc_id=MVP_473477

Data Sources

AuditLogs

Platforms

azure-ad

Tags

entra
Raw Content
// This query looks for modifications to ApplicationManagementPolicy which could be someone attempting to bypass an app management policy that blocks client secrets being used for an app registration
AuditLogs
| where OperationName == "Add policy"
| where TargetResources[0].displayName == "ApplicationManagementPolicy"
//Ref https://learn.microsoft.com/en-us/graph/api/tenantappmanagementpolicy-update?view=graph-rest-1.0&tabs=http?WT.mc_id=MVP_473477