M365Corner
M365 PowerShell

Track "Update Application" Events Using Microsoft Graph PowerShell

Monitoring updates to applications in your Microsoft 365 environment is vital for ensuring that only authorized changes are made. With Microsoft Graph PowerShell, you can effectively query audit logs to track "Update application" events under the "ApplicationManagement" category.
In this article, we will provide a ready-to-use script, explain how it works, suggest further enhancements, highlight use cases, address possible errors and their solutions, and conclude with key takeaways.


Script: Query "Update Application" Events

# Connect to Microsoft Graph
Connect-MgGraph -Scopes AuditLog.Read.All
                                
# Define the filter
$filter = "activityDisplayName eq 'Update application' and category eq 'ApplicationManagement'"
                                
# Fetch the audit logs
$logs = Get-MgAuditLogDirectoryAudit -All `
-Filter $filter `
-Property activityDateTime, activityDisplayName, initiatedBy, result, targetResources
                                
# Parse and output the results
$logs | ForEach-Object {
    [PSCustomObject]@{
        "Updated Time"         = $_.activityDateTime
        "Updated Application"  = ($_.targetResources | Where-Object {$_.Type -eq 'Application'}).displayName
        "Updated By (Initiator UPN)" = $_.initiatedBy.user.userPrincipalName
        "Result Status"         = $_.result
    }
} | Format-Table -AutoSize

How the Script Works

  1. Authentication: The script begins by connecting to Microsoft Graph with AuditLog.Read.All permissions.
  2. Filtering Events: It sets a filter to retrieve only audit log entries where:
    • activityDisplayName is "Update application"
    • category is "ApplicationManagement"
  3. Fetching Audit Logs: The script uses Get-MgAuditLogDirectoryAudit to pull all events matching the filter and selects specific properties: activityDateTime, initiatedBy, result, and targetResources.
  4. Processing Results: For each audit log entry:
    • Updated Time records when the application was modified.
    • Updated Application identifies the application's display name.
    • Updated By (Initiator UPN) captures the user who performed the update.
    • Result Status shows whether the update was successful or failed.
  5. Output Display: The results are neatly presented in a table format in the PowerShell console.

Further Enhancements

  • Export Results to CSV: Save output to a CSV file for archiving and reporting.
  • Date Range Filtering: Query updates within a specific timeframe (e.g., last 7 days).
  • Scheduled Automation: Set up a scheduled task to run the script at regular intervals.
  • Email Alerts: Trigger notifications for updates made to critical applications.
  • Enhanced Error Handling: Add try-catch blocks for better resiliency during execution.

Use Cases

  • Security and Compliance: Identify unauthorized application modifications.
  • Audit Reporting: Maintain detailed records of application updates for regulatory compliance.
  • Change Management Oversight: Track changes to applications as part of IT change control processes.
  • Incident Investigation: Quickly determine who updated a specific application during a security review.

Possible Errors & Solutions

Error Cause Solution
Insufficient privileges to complete the operation. User account lacks necessary permissions. Ensure that AuditLog.Read.All permission is granted and consented.
No audit records found. No matching events exist or timeframe too narrow. Broaden the search period or validate if updates occurred.
Connect-MgGraph : Access token validation failure. Session timeout or incorrect context. Reconnect using Connect-MgGraph with correct parameters.
Target resources array is empty. No associated application in event. Implement a fallback in script to handle missing targetResources.

Conclusion

Keeping track of application updates is crucial for safeguarding your Microsoft 365 environment. This Microsoft Graph PowerShell script provides a streamlined and efficient way to monitor "Update application" events. By integrating enhancements like automated runs, CSV exports, and alerts, organizations can ensure continuous visibility into changes affecting their applications. Regular monitoring fosters better security practices, maintains compliance, and helps respond swiftly to incidents involving application modifications.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex