How can I investigate an unknown app appearing in my Entra sign-in logs?

Question

How can I investigate an unknown app appearing in my Entra sign-in logs?

Tilman Schmidt 60

While investigating suspicious sign-in events with Microsoft Sentinel in the SignInLogs table I came across a couple of successful sign-ins with AppDisplayName "Social27local" and AppId ba3cfa03-0eea-43d2-a2e7-e72d19d22f7e, all to the same username.

The user is not aware of an application by that name.

An Internet search for the name turned up zero results.

How can I find out more about that app, where it comes from, why it is allowed to access my tenant, whether it is malicious and the risks it might pose?

2 answers

Your answer

Answer 1

Marti Peig 965 Microsoft Employee

Hi Tilman,

You should be able to see who created that app by checking in the Entra ID Audit logs (https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Audit), filtering by Activity: Add Application.

Ref. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs

Cheers

Tilman Schmidt 60 Reputation points

2024-12-03T11:57:10.9+00:00

Thanks. The audit log does show a few "Add application" entries but regrettably the mysterious Social27local app is not among them. Perhaps it was added more than 30 days ago. The audit log covers only 30 days.
Marti Peig 965 Reputation points Microsoft Employee

2024-12-03T13:13:18+00:00

That is indeed true. 30 days is the retention period for Entra ID Audit logs.

If you require a longer retention period, you can route the audit and sign-in activity data to an Azure storage account using Azure Monitor. This setup allows you to retain the data beyond the default seven days (Free) or thirty days (P1 or P2), accommodating your organization's specific compliance and monitoring needs. If you need more info you have it in Archive logs and reporting on entitlement management in Azure Monitor.

Answer 2

Andy David - MVP 153.9K MVP

Its not this? https://www.social27.com/

Tilman Schmidt 60 Reputation points

2024-12-03T12:04:34.3066667+00:00

Quite possibly. I'll try to get confirmation from the user that she has been using that app.
Tilman Schmidt 60 Reputation points

2024-12-03T12:06:32.69+00:00

Quite possibly. I'll try to get confirmation from the user that she has been using that app.
Andy David - MVP 153.9K Reputation points MVP

2024-12-03T12:06:36.9566667+00:00

It could be integrated into office or teams. I have never used it so not sure how its configured
Bandela Siri Chandana 1,875 Reputation points Microsoft External Staff

2024-12-05T10:17:42.85+00:00

Hi @Tilman Schmidt

Thank you for posting your query on Microsoft Q&A.

I understand that your application "Social27local" was created 30 days before. But 30 days is the retention period for Entra ID Audit logs.

So, you need to follow Archive logs and reporting on entitlement management in Azure Monitor. to get more information about the application.

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.
Tilman Schmidt 60 Reputation points

2024-12-05T11:22:45.6166667+00:00

Hi @Bandela Siri Chandana ,

first of all, it's not "my" application. I just want to find out whose it is.

After reading the article you linked to, I get the impression that what it describes would have had to be done before the events, and it is too late for that approach now that the log retention period has already expired. Did I understand that correctly? If so, what are my options now?

Thanks,

Tilman
Marti Peig 965 Reputation points Microsoft Employee

2024-12-05T12:01:48.0733333+00:00

Hi Tilman,

After the 30-day log retention period for sign-ins and audit logs, the logs are automatically deleted and cannot be retrieved through the standard portal or APIs.

So, unless you implemented what Bandela and I suggested (Archive logs and reporting on entitlement management in Azure Monitor) -which I assume you have not-, or unless you have Microsoft Sentinel in place, or you are exporting the logs to some other sort of SIEM; you will not be able to get that information about the app registration.

I hope this clarifies your options.
Andy David - MVP 153.9K Reputation points MVP

2024-12-05T12:03:55.5333333+00:00

That doesnt change the fact that if its being used today and exists in your tenant, then you should be able to find it.
Marti Peig 965 Reputation points Microsoft Employee

2024-12-05T12:08:06.5566667+00:00

I was specifically referring to the "who created that app in the tenant" piece. Any activity related to the application can still be found in the activity logs.
Andy David - MVP 153.9K Reputation points MVP

2024-12-05T12:12:57.99+00:00

Understood, but that seems to be the focus here and I think the OP is trying to understand what this app is doing now :)
Tilman Schmidt 60 Reputation points

2024-12-05T12:22:14.4766667+00:00

Which brings me back to my original question: How can I find that app? Is there perhaps some sort of app catalog which I can search for the AppID?
Andy David - MVP 153.9K Reputation points MVP

2024-12-05T12:26:18.8433333+00:00

So you dont see it at all in your tenant? Not in Enterprise Apps or registered apps?

How about as an Office Add-in?

In the sign in logs for it,

what is listed as the Resource tenant ID and Home Tenant ID? Are both IDs your tenant?
Tilman Schmidt 60 Reputation points

2024-12-05T13:05:51.87+00:00
@Marti Peig I do have Microsoft Sentinel deployed but I do not see a registration event for the app:

search "Social27local" | distinct $table

yields just SigninLogs, BehaviourAnalytics and AADNonInteractiveSigninLogs.
Tilman Schmidt 60 Reputation points

2024-12-05T14:29:15.4933333+00:00

@Andy David I could not find the AppID in Enterprise applications nor in App registrations.

Of the various tenant IDs in the sign in log, AADTenantId and HomeTenantId show my own tenant ID, but TenantId and ResourceTenantId are different from my tenant and from each other.
Andy David - MVP 153.9K Reputation points MVP

2024-12-05T14:38:32.7666667+00:00

Ok, then the app lives in another Tenant and not yours then it sounds like and your user is perhaps a guest in those other tenants. That would indicate they accessed at it one time as a guest and they consented the app so they could use it.
Tilman Schmidt 60 Reputation points

2024-12-05T15:10:29.76+00:00

Ok, thanks. But we have set "User consent for applications" to "Do not allow user consent". Shouldn't that prevent that kind of action?
Andy David - MVP 153.9K Reputation points MVP

2024-12-05T15:15:00.3766667+00:00

Yea but the consent in this scenario would be against the other tenant
Tilman Schmidt 60 Reputation points

2024-12-06T11:04:09.4666667+00:00

I see. So the app is just using my tenant as an identity provider. It doesn't actually have access to any of my resources. I guess I can stop worrying about what that app is or does.

Share via

How can I investigate an unknown app appearing in my Entra sign-in logs?

2 answers

Your answer