Rules Contributing to Microsoft Entra Application Configuration Changes Alert

The following rules are used to identify suspicious Microsoft Entra application configuration changes. Any one or more of these will trigger the Microsoft Entra Application Configuration Changes Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Application AppID Uri Configuration Changes

Detects when a configuration change is made to an application's AppID URI.

Added Credentials to Existing Application

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Added Owner to Application

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

Azure Application Credential Modified

Identifies when an application credential is modified.