Azure detection rule to detect change in below Application credentials.
- Added credentials to existing applications
- Credentials with a lifetime longer than your policies allow.
- App assigned to Azure RBAC role, or Azure AD Role
- App granted highly privileged permissions, such as permissions with “.All”
- Administrator granting either application permissions (app roles) or highly privileged delegated permissions
- Application permissions (app roles) for other APIs are granted
- Highly privileged delegated permissions are granted on behalf of all users
- Key Vaults are accessed and by unauthorised user
- End-user consent to application
- End-user consent stopped due to risk-based consent
- Applications using the Device code flow
- Applications that are using the ROPC authentication flow
- Dangling URI
- Redirect URI configuration changes
- Changes to AppID URI
- Changes to application ownership
- Changes to log-out URL