Delegated Permissions Granted For All Users

 1title: Delegated Permissions Granted For All Users
 2id: a6355fbe-f36f-45d8-8efc-ab42465cbc52
 3status: test
 4description: Detects when highly privileged delegated permissions are granted on behalf of all users
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022-07-28
 9tags:
10    - attack.credential-access
11    - attack.t1528
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message: Add delegated permission grant
18    condition: selection
19falsepositives:
20    - When the permission is legitimately needed for the app
21level: high

References

• Microsoft Entra security operations for applications - Microsoft Entra

  

  Learn how to monitor and alert on applications to identify security threats.

  
  Read More

Related rules

• Anomalous Token
• Anonymous IP Address
• App Granted Microsoft Permissions
• Application URI Configuration Changes
• End User Consent