|
| 1 | +--- |
| 2 | +title: OAuthAppInfo table in the advanced hunting schema |
| 3 | +description: Learn about the OAuthAppInfo table which contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability. |
| 4 | +search.appverid: met150 |
| 5 | +ms.service: defender-xdr |
| 6 | +ms.subservice: adv-hunting |
| 7 | +f1.keywords: |
| 8 | + - NOCSH |
| 9 | +ms.author: maccruz |
| 10 | +author: schmurky |
| 11 | +ms.localizationpriority: medium |
| 12 | +manager: dansimp |
| 13 | +audience: ITPro |
| 14 | +ms.collection: |
| 15 | +- m365-security |
| 16 | +- tier3 |
| 17 | +ms.custom: |
| 18 | +- cx-ti |
| 19 | +- cx-ah |
| 20 | +appliesto: |
| 21 | + - Microsoft Defender XDR |
| 22 | +ms.topic: reference |
| 23 | +ms.date: 04/01/2025 |
| 24 | +--- |
| 25 | + |
| 26 | +# OAuthAppInfo (Preview) |
| 27 | + |
| 28 | +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] |
| 29 | + |
| 30 | +> [!IMPORTANT] |
| 31 | +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. |
| 32 | +
|
| 33 | +The `OAuthAppInfo` table in the advanced hunting schema contains information about Microsoft 365-connected OAuth applications in the organization that are registered with Microsoft Entra ID and available in the Microsoft Defender for Cloud Apps app governance capability. |
| 34 | + |
| 35 | +The `OAuthAppInfo` table might not include all the app or service principal-related properties that are available on Entra ID. It also does not include data related to Microsoft first-party apps or apps without any OAuth consents. The coverage of the table is based on the existing scope of Microsoft 365-connected apps covered by app governance. |
| 36 | + |
| 37 | + |
| 38 | +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md). |
| 39 | + |
| 40 | +| Column name | Data type | Description | |
| 41 | +|-------------|-----------|-------------| |
| 42 | +| `ReportId` | `string` | Unique identifier for the record| |
| 43 | +| `Timestamp` | `string` | Date and time when the record was created| |
| 44 | +| `OAuthAppId` | `string` | The unique identifier for the app as assigned by Microsoft Entra ID| |
| 45 | +| `ServicePrincipalId` | `string` | The unique identifier for the service principal instance of the application in the tenant| |
| 46 | +| `AppName` | `string` | The application's display name as exposed by the associated service principal| |
| 47 | +| `AddedOnTime` | `datetime` | Date and time when the application was registered| |
| 48 | +| `LastModifiedTime` | `datetime` | Timestamp when the app was last modified| |
| 49 | +| `AppStatus` | `string` | Status of the app; can be: Enabled, DisabledByMicrosoft, DisabledByAppGovernancePolicy, DisabledByUser, Deleted (information for apps with Deleted status is only available for 30 days since the app was deleted)| |
| 50 | +| `VerifiedPublisher` | `dynamic` | Specifies details about the verified publisher of the application which this service principal represents. It includes information such as: DisplayName, VerifiedPublisherId, AddedDateTime| |
| 51 | +| `PrivilegeLevel` | `string` | The privilege level of the app based on the highest classified permission granted to the app| |
| 52 | +| `Permissions` | `dynamic` | Contains an array of permission objects; each permission object includes PermissionName, TargetAppId, TargetAppDisplayName, PermissionType, PrivilegeLevel, UsageStatus| |
| 53 | +| `ConsentedUsersCount` | `integer` | Count of users who have consented to the app; this information is only available when the app is not admin consented| |
| 54 | +| `IsAdminConsented` | `boolean` | Value is True if a user has provided admin consent to the app on behalf of all the users in the org, otherwise the value is False| |
| 55 | +| `AppOrigin` | `string` | Specifies whether the app is internal to the organization or registered in an external tenant| |
| 56 | +| `LastUsedTime` | `datetime` | Date and time when the app was last used| |
| 57 | +| `AppOwnerTenantId` | `string` |Specifies the ID of the tenant where the app was registered| |
| 58 | + |
| 59 | + |
| 60 | +The `OAuthAppInfo` table updates information on an hourly basis to record any changes in metadata or insights for OAuth apps based on data from Defender for Cloud Apps app governance. |
| 61 | + |
| 62 | +Additionally, to ensure that `OAuthAppInfo` table retains data for the covered apps, a complete snapshot of all OAuth apps is sent twice a month. |
| 63 | + |
| 64 | + |
| 65 | + |
| 66 | + |
| 67 | +## Related topics |
| 68 | + |
| 69 | +- [Proactively hunt for threats](advanced-hunting-overview.md) |
| 70 | +- [Learn the query language](advanced-hunting-query-language.md) |
| 71 | +- [Understand the schema](advanced-hunting-schema-tables.md) |
| 72 | +- [Apply query best practices](advanced-hunting-best-practices.md) |
| 73 | + |
| 74 | + |
| 75 | +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] |
0 commit comments