{"CreationTime": "2023-09-05T21:05:31", "Id": "a11edcb0-a52f-4850-a6c4-e932c07d8f63", "Operation": "Add app role assignment to service principal.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "00000003-0000-0000-c000-000000000000;00000003-0000-0000-c000-000000000000/ags.windows.net;https://ags.windows.net;https://graph.microsoft.com;https://canary.graph.microsoft.com;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us;https://dod-graph.microsoft.us/;https://graph.microsoft.us/;https://canary.graph.microsoft.com/", "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"AppId\":\"00000003-0000-0000-c000-000000000000\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AppRole.Id", "NewValue": "810c84a8-4a9e-49e6-bf7d-12d183f40d01", "OldValue": ""}, {"Name": "AppRole.Value", "NewValue": "Mail.Read", "OldValue": ""}, {"Name": "AppRole.DisplayName", "NewValue": "Read mail in all mailboxes", "OldValue": ""}, {"Name": "AppRoleAssignment.CreatedDateTime", "NewValue": "9/5/2023 9:05:30 PM", "OldValue": ""}, {"Name": "AppRoleAssignment.LastModifiedDateTime", "NewValue": "9/5/2023 9:05:30 PM", "OldValue": ""}, {"Name": "ServicePrincipal.ObjectID", "NewValue": "21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "OldValue": ""}, {"Name": "ServicePrincipal.DisplayName", "NewValue": "TestApp2", "OldValue": ""}, {"Name": "ServicePrincipal.AppId", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}, {"Name": "ServicePrincipal.Name", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "00000003-0000-0000-c000-000000000000;00000003-0000-0000-c000-000000000000/ags.windows.net;https://ags.windows.net;https://graph.microsoft.com;https://canary.graph.microsoft.com;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us;https://dod-graph.microsoft.us/;https://graph.microsoft.us/;https://canary.graph.microsoft.com/", "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "InterSystemsId": "e0fb6206-12db-4fdf-bf52-699b254124d3", "IntraSystemId": "897d35e6-e2dc-455e-ba65-e6d58adae01f", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_ce7199b4-8f52-46f3-b54b-4fd81de961e2", "Type": 2}, {"ID": "ce7199b4-8f52-46f3-b54b-4fd81de961e2", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Microsoft Graph", "Type": 1}, {"ID": "00000003-0000-0000-c000-000000000000", "Type": 2}, {"ID": "00000003-0000-0000-c000-000000000000;00000003-0000-0000-c000-000000000000/ags.windows.net;https://ags.windows.net;https://graph.microsoft.com;https://canary.graph.microsoft.com;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us;https://dod-graph.microsoft.us/;https://graph.microsoft.us/;https://canary.graph.microsoft.com/", "Type": 4}], "TargetContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5"}
{"CreationTime": "2023-09-05T21:05:31", "Id": "5363eaac-0b05-4d89-a713-1b903cd2008e", "Operation": "Add app role assignment to service principal.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "00000003-0000-0000-c000-000000000000;00000003-0000-0000-c000-000000000000/ags.windows.net;https://ags.windows.net;https://graph.microsoft.com;https://canary.graph.microsoft.com;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us;https://dod-graph.microsoft.us/;https://graph.microsoft.us/;https://canary.graph.microsoft.com/", "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"AppId\":\"00000003-0000-0000-c000-000000000000\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AppRole.Id", "NewValue": "b633e1c5-b582-4048-a93e-9f11b44c7e96", "OldValue": ""}, {"Name": "AppRole.Value", "NewValue": "Mail.Send", "OldValue": ""}, {"Name": "AppRole.DisplayName", "NewValue": "Send mail as any user", "OldValue": ""}, {"Name": "AppRoleAssignment.CreatedDateTime", "NewValue": "9/5/2023 9:05:31 PM", "OldValue": ""}, {"Name": "AppRoleAssignment.LastModifiedDateTime", "NewValue": "9/5/2023 9:05:31 PM", "OldValue": ""}, {"Name": "ServicePrincipal.ObjectID", "NewValue": "21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "OldValue": ""}, {"Name": "ServicePrincipal.DisplayName", "NewValue": "TestApp2", "OldValue": ""}, {"Name": "ServicePrincipal.AppId", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}, {"Name": "ServicePrincipal.Name", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "00000003-0000-0000-c000-000000000000;00000003-0000-0000-c000-000000000000/ags.windows.net;https://ags.windows.net;https://graph.microsoft.com;https://canary.graph.microsoft.com;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us;https://dod-graph.microsoft.us/;https://graph.microsoft.us/;https://canary.graph.microsoft.com/", "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "InterSystemsId": "e0fb6206-12db-4fdf-bf52-699b254124d3", "IntraSystemId": "897d35e6-e2dc-455e-ba65-e6d58adae01f", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_ce7199b4-8f52-46f3-b54b-4fd81de961e2", "Type": 2}, {"ID": "ce7199b4-8f52-46f3-b54b-4fd81de961e2", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Microsoft Graph", "Type": 1}, {"ID": "00000003-0000-0000-c000-000000000000", "Type": 2}, {"ID": "00000003-0000-0000-c000-000000000000;00000003-0000-0000-c000-000000000000/ags.windows.net;https://ags.windows.net;https://graph.microsoft.com;https://canary.graph.microsoft.com;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us;https://dod-graph.microsoft.us/;https://graph.microsoft.us/;https://canary.graph.microsoft.com/", "Type": 4}], "TargetContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5"}
{"CreationTime": "2023-09-05T21:05:31", "Id": "691234d5-398d-4ea4-aa33-df0fb7b52bf6", "Operation": "Add app role assignment grant to user.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "95106c0e-3519-450e-8e38-7f326d873454", "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"AppId\":\"95106c0e-3519-450e-8e38-7f326d873454\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [{"Name": "AppRole.Id", "NewValue": "00000000-0000-0000-0000-000000000000", "OldValue": ""}, {"Name": "AppRole.Value", "NewValue": "", "OldValue": ""}, {"Name": "AppRole.DisplayName", "NewValue": "", "OldValue": ""}, {"Name": "AppRoleAssignment.CreatedDateTime", "NewValue": "9/5/2023 9:05:31 PM", "OldValue": ""}, {"Name": "AppRoleAssignment.LastModifiedDateTime", "NewValue": "9/5/2023 9:05:31 PM", "OldValue": ""}, {"Name": "User.ObjectID", "NewValue": "e4c722ac-3b83-478d-8f52-c388885dc30f", "OldValue": ""}, {"Name": "User.UPN", "NewValue": "attacker@contoso.onmicrosoft.com", "OldValue": ""}, {"Name": "User.PUID", "NewValue": "1003BFFD98415B4E", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "InterSystemsId": "e0fb6206-12db-4fdf-bf52-699b254124d3", "IntraSystemId": "897d35e6-e2dc-455e-ba65-e6d58adae01f", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "TestApp2", "Type": 1}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 2}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 4}], "TargetContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5"}
{"CreationTime": "2023-09-05T21:05:31", "Id": "5822e126-1fbc-4269-9ad6-4c1879cdbcf3", "Operation": "Consent to application.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "95106c0e-3519-450e-8e38-7f326d873454", "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"AppId\":\"95106c0e-3519-450e-8e38-7f326d873454\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "NewValue": "True", "OldValue": ""}, {"Name": "ConsentContext.IsAppOnly", "NewValue": "False", "OldValue": ""}, {"Name": "ConsentContext.OnBehalfOfAll", "NewValue": "True", "OldValue": ""}, {"Name": "ConsentContext.Tags", "NewValue": "", "OldValue": ""}, {"Name": "ConsentAction.Permissions", "NewValue": "[] => [[Id: r2KtIS6Zn0q2wWeqbIputLSZcc5Sj_NGtUtP2B3pYeI, ClientId: 21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4, PrincipalId: , ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: AllPrincipals, Scope: User.Read, CreatedDateTime: , LastModifiedDateTime ]]; ", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "InterSystemsId": "e0fb6206-12db-4fdf-bf52-699b254124d3", "IntraSystemId": "897d35e6-e2dc-455e-ba65-e6d58adae01f", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "TestApp2", "Type": 1}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 2}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 4}], "TargetContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5"}