Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The OAuthAppInfo table in the advanced hunting schema contains information about Microsoft 365-connected OAuth applications in the organization that are registered with Microsoft Entra ID and available in the Microsoft Defender for Cloud Apps app governance capability.
The OAuthAppInfo table might not include all the app or service principal-related properties that are available on Entra ID. It also does not include data related to Microsoft first-party apps or apps without any OAuth consents. The coverage of the table is based on the existing scope of Microsoft 365-connected apps covered by app governance.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
ReportId |
string |
Unique identifier for the record |
Timestamp |
string |
Date and time when the record was created |
OAuthAppId |
string |
The unique identifier for the app as assigned by Microsoft Entra ID |
ServicePrincipalId |
string |
The unique identifier for the service principal instance of the application in the tenant |
AppName |
string |
The application's display name as exposed by the associated service principal |
AddedOnTime |
datetime |
Date and time when the application was registered |
LastModifiedTime |
datetime |
Timestamp when the app was last modified |
AppStatus |
string |
Status of the app; can be: Enabled, DisabledByMicrosoft, DisabledByAppGovernancePolicy, DisabledByUser, Deleted (information for apps with Deleted status is only available for 30 days since the app was deleted) |
VerifiedPublisher |
dynamic |
Specifies details about the verified publisher of the application which this service principal represents. It includes information such as: DisplayName, VerifiedPublisherId, AddedDateTime |
PrivilegeLevel |
string |
The privilege level of the app based on the highest classified permission granted to the app |
Permissions |
dynamic |
Contains an array of permission objects; each permission object includes PermissionName, TargetAppId, TargetAppDisplayName, PermissionType, PrivilegeLevel, UsageStatus |
ConsentedUsersCount |
integer |
Count of users who have consented to the app; this information is only available when the app is not admin consented |
IsAdminConsented |
boolean |
Value is True if a user has provided admin consent to the app on behalf of all the users in the org, otherwise the value is False |
AppOrigin |
string |
Specifies whether the app is internal to the organization or registered in an external tenant |
LastUsedTime |
datetime |
Date and time when the app was last used |
AppOwnerTenantId |
string |
Specifies the ID of the tenant where the app was registered |
The OAuthAppInfo table updates information on an hourly basis to record any changes in metadata or insights for OAuth apps based on data from Defender for Cloud Apps app governance.
Additionally, to ensure that OAuthAppInfo table retains data for the covered apps, a complete snapshot of all OAuth apps is sent twice a month.
Related topics
- Proactively hunt for threats
- Learn the query language
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.