You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-oauthappinfo-table.md
+6-5Lines changed: 6 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,8 +19,9 @@ ms.custom:
19
19
- cx-ah
20
20
appliesto:
21
21
- Microsoft Defender XDR
22
+
- Microsoft Sentinel in the Microsoft Defender portal
22
23
ms.topic: reference
23
-
ms.date: 04/01/2025
24
+
ms.date: 05/23/2025
24
25
---
25
26
26
27
# OAuthAppInfo (Preview)
@@ -32,13 +33,13 @@ ms.date: 04/01/2025
32
33
33
34
The `OAuthAppInfo` table in the advanced hunting schema contains information about Microsoft 365-connected OAuth applications in the organization that are registered with Microsoft Entra ID and available in the Microsoft Defender for Cloud Apps app governance capability.
34
35
35
-
The `OAuthAppInfo` table might not include all the app or service principal-related properties that are available on Entra ID. It also does not include data related to Microsoft first-party apps or apps without any OAuth consents. The coverage of the table is based on the existing scope of Microsoft 365-connected apps covered by app governance.
36
+
The `OAuthAppInfo` table might not include all the app or service principal-related properties that are available on Entra ID. It also doesn't include data related to Microsoft first-party apps or apps without any OAuth consents. The coverage of the table is based on the existing scope of Microsoft 365-connected apps covered by app governance.
36
37
37
-
## Prerequisities
38
+
## Prerequisites
38
39
39
40
This advanced hunting table is populated by app governance records from Microsoft Defender for Cloud Apps. To turn on app governance, follow the steps in [Turn on app governance](/defender-cloud-apps/app-governance-get-started).
40
41
41
-
If your organization hasn’t deployed Microsoft Defender for Cloud Apps in Microsoft Defender XDR or turned on app governance, queries that use the table aren’t going to work or return any results.
42
+
If your organization hasn’t deployed Microsoft Defender for Cloud Apps in Microsoft Defender XDR nor turned on app governance, you can't view the `OAuthAppInfo`table in advanced hunting.
42
43
43
44
44
45
## Schema
@@ -57,7 +58,7 @@ For information on other tables in the advanced hunting schema, see [the advance
57
58
|`VerifiedPublisher`|`dynamic`| Specifies details about the verified publisher of the application which this service principal represents. It includes information such as: DisplayName, VerifiedPublisherId, AddedDateTime|
58
59
|`PrivilegeLevel`|`string`| The privilege level of the app based on the highest classified permission granted to the app|
59
60
|`Permissions`|`dynamic`| Contains an array of permission objects; each permission object includes PermissionName, TargetAppId, TargetAppDisplayName, PermissionType, PrivilegeLevel, UsageStatus|
60
-
|`ConsentedUsersCount`|`integer`| Count of users who have consented to the app; this information is only available when the app is not admin consented|
61
+
|`ConsentedUsersCount`|`integer`| Count of users who have consented to the app; this information is only available when the app isn't admin consented|
61
62
|`IsAdminConsented`|`boolean`| Value is True if a user has provided admin consent to the app on behalf of all the users in the org, otherwise the value is False|
62
63
|`AppOrigin`|`string`| Specifies whether the app is internal to the organization or registered in an external tenant|
63
64
|`LastUsedTime`|`datetime`| Date and time when the app was last used|
0 commit comments