M365Corner
M365 PowerShell

Track "Add Application" Events Using Microsoft Graph PowerShell

Monitoring when new applications are added to your Microsoft 365 environment is crucial for maintaining security and compliance. Using Microsoft Graph PowerShell, you can easily query the audit logs for "Add application" events under the "ApplicationManagement" category. In this article, we will provide you with a ready-to-use script, explain how it works, suggest further enhancements, list common use cases, cover possible errors & solutions, and wrap up with a conclusion.


Script: Query "Add Application" Events

# Connect to Microsoft Graph
Connect-MgGraph -Scopes AuditLog.Read.All
                                
# Define the filter
$filter = "activityDisplayName eq 'Add application' and category eq 'ApplicationManagement'"
                                
# Fetch the audit logs
$logs = Get-MgAuditLogDirectoryAudit -All `
-Filter $filter `
-Property activityDateTime, activityDisplayName, initiatedBy, result, targetResources
                                
# Parse and output the results
$logs | ForEach-Object {
[PSCustomObject]@{
"Added Time"         = $_.activityDateTime
"Added Application"  = ($_.targetResources | Where-Object {$_.Type -eq 'Application'}).displayName
"Added By (Initiator UPN)" = $_.initiatedBy.user.userPrincipalName
"Result Status"       = $_.result
}
} | Format-Table -AutoSize

How the Script Works

  1. Authentication: The script connects to Microsoft Graph with AuditLog.Read.All permissions to access audit logs.
  2. Filter Creation: It defines a filter that targets only events where:
    • activityDisplayName is "Add application"
    • category is "ApplicationManagement"
  3. Log Retrieval: It uses Get-MgAuditLogDirectoryAudit to fetch all matching audit logs while selecting relevant properties (activityDateTime, initiatedBy, result, targetResources).
  4. Data Parsing: For each event:
    • Added Time captures when the application was added.
    • Added Application identifies the application name.
    • Added By (Initiator UPN) pulls the User Principal Name of the person who added it.
    • Result Status indicates whether the operation was successful or failed.
  5. Display: The output is formatted neatly in a table for easy readability.

Further Enhancements

You can enhance this script by:

  1. Export to CSV: Add Export-Csv to store results for audit trails.
  2. Date Range Filtering: Extend the script to query only recent events (e.g., last 30 days).
  3. Automated Alerts: Integrate the script with an email notification system if a new application is added.
  4. Role-Based Filtering: Capture who is adding applications and whether they have the appropriate role permissions.
  5. Scheduled Execution: Set up a scheduled task to run this script periodically.

Use Cases

  • Security Monitoring: Detect unauthorized or unexpected application additions.
  • Compliance Audits: Maintain records of all application additions for compliance reporting.
  • Change Management: Track application onboarding activities for IT change management processes.
  • Forensics Investigation: Quickly trace who added a suspicious application during an incident.

Possible Errors & Solutions

Error Cause Solution
Insufficient privileges to complete the operation. Missing permissions. Ensure you connect with an account that has AuditLog.Read.All permission.
No audit records found. No "Add application" events in the queried timeframe or filter mismatch. Remove or adjust date filters if applied, and double-check the event activity name.
Connect-MgGraph : Access token validation failure. Session expired or wrong tenant context. Reconnect using Connect-MgGraph and ensure correct tenant selection.
Target resources array is empty. No valid target resource captured. Add a check to handle empty target resources gracefully in the script.

Conclusion

Keeping track of new applications added to your Microsoft 365 tenant is an essential part of proactive security management. This Microsoft Graph PowerShell script offers a simple yet effective way to query and display "Add application" events, making it easy to monitor and investigate new additions. With minor enhancements like CSV export and scheduling, this solution can be transformed into a robust part of your organization's auditing framework.

By regularly reviewing application additions, you can stay ahead of potential threats and maintain greater control over your cloud environment.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex