Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Hunting query that identifies admin consent grants to Entra ID applications. Admin consent (also referred to as tenant-wide consent) allows an administrator to authorize an application to access resources on behalf of all users in the tenant, without requiring individual user consent. This is identified in AuditLogs by the presence of the AllPrincipals principal type in the ConsentAction.Permissions modified property. Admin consent grants are a high-value persistence mechanism. Once granted, the
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | 0364b6b6-65cf-4ba2-ad0d-9ce80e0ae71e |
| Tactics | CredentialAccess, Persistence |
| Techniques | T1528, T1098 |
| Required Connectors | AzureActiveDirectory |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AuditLogs/AdminConsentGrantedToApplication.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊