Rules Contributing to Microsoft Entra Application Permission Changes Alert

The following rules are used to identify suspicious Microsoft Entra application permission changes. Any one or more of these will trigger the Microsoft Entra Application Permission Changes Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

App Granted Privileged Delegated or App Permissions

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

App Role Added

Detects when an app is assigned Microsoft Entra roles, such as global administrator, or Microsoft Entra RBAC roles, such as subscription owner.