This resource will be periodically updated as new findings occur.
Last Updated: 27/01/2026.
Malicious OAUTH Applications
| Application Name | Application ID | Comments |
|---|---|---|
| PERFECTDATA SOFTWARE | ff8d92dc-3d82-41d6-bcbd-b9174d163620 | Backup/Export mailboxes. UAL does not show items synced. UPDATE: It now shows items synced. Identified by MailItemsAccessed events. (Search App ID) |
| eM Client | e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd | Email client with full synchronisation capabilities. UAL typically shows items synced identified by ‘MailItemsAccessed’ events. (Search App ID) |
| Mail_Backup | 2ef68ccc-8a4d-42ff-ae88-2d7bb89ad139 | Updated version of PERFECTDATA SOFTWARE. See that row for additional information. |
| Edison Mail | 62db40a4-2c7e-4373-a609-eda138798962 | Email client with full synchronisation capabilities. UAL typically shows items synced identified by ‘MailItemsAccessed’ events. |
| Newsletter Software Supermailer | a245e8c0-b53c-4b67-9b45-751d1dff8e6b | Bulk email sending software. |
| Rclone | 4761b959-9780-4c2d-87a3-512b4638f767 | Manage files within M365. |
| CloudSponge | a43e5392-f48b-46a4-a0f1-098b5eeb4757 | Address book exfiltration |
| Zoominfo Login | 858d7e42-35f0-44b7-9033-df309239a47f | Address book exfiltration |
| ZoomInfo Communitiez Login | 497ac034-5120-4c1a-929a-0351f5c09918 | Address book exfiltration |
| SigParser | caffae8c-0882-4c81-9a27-d1803af53a40 | Address book exfiltration |
| Fastmail | 77468577-4f6e-40e7-b745-11d3d0c28095 | Mailbox exfiltration/persistence |
| PostBox | 179d5108-412b-4c95-8e34-06786784ab39 | Email client with full synchronisation capabilities. |
| Spike | 946c777c-bc85-489e-b034-392389ae23d6 | Mailbox exfiltration/persistence |
Suspicious Microsoft 365 Applications (During BEC Investigations)
NOTE: The below are not representative of a malicious appliaction, and just indicate the activities in the comments column.
| Application Name | Application ID | Comments |
|---|---|---|
| My Profile | 8c59ead7-d703-4a27-9e55-c96a0054c8d2 | Initial application before modifying MFA configuration. (To navigate to My Signins) |
| My Signins | 19db86c3-b2b9-44cc-b339-36da233a3be2 | Modifying MFA configuration |
| Microsoft Account Controls V2 | 7eadcef8-456d-4611-9480-4fff72b8b9e2 | Modifying MFA configuration |
| Microsoft Edge | ecd6b820-32c2-49b6-98a6-444530e5a77a f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34 e9c51622-460d-4d3d-952d-966a5b1da34c | Synchronizing Saved Passwords in Microsoft Wallet |
| Microsoft Outlook | 5d661950-3475-41cd-a2c3-d671a3162bc1 | Mailbox exfiltration (if used by an attacker) |
| Outlook Lite | e9b154d0-7658-433b-bb25-6b8e0a8a7c59 | Mailbox exfiltration (if used by an attacker) |
| Outlook Mobile | 27922004-5251-4030-b22d-91ecd9a37ea4 | Mailbox exfiltration (if used by an attacker) |
Other Microsoft 365 Applications
| Application Name | Application ID | Comments |
|---|---|---|
| AADJ CSP | b90d5b8f-5503-4153-b545-b31cecfaece2 | |
| AADPasswordProtectionProxy | dda27c27-f274-469f-8005-cce10f270009 | |
| Aadrm Admin PowerShell | 90f610bf-206d-4950-b61d-37fa6fd1b224 | |
| Accounts Control UI | a40d7d7d-59aa-447e-a655-679a4107e548 | |
| ACOM Azure Website | 23523755-3a2b-41ca-9315-f81f3f566a95 | |
| ADIbizaUX | 74658136-14ec-4630-ad9b-26e160ff0fc6 | |
| AEM-DualAuth | 69893ee3-dd10-4b1c-832d-4870354be3d8 | |
| Afdx Resource Provider | 92b61450-2139-4e4a-a0cc-898eced7a779 | |
| AI Builder Prod Non God Mode | be5f0473-6b57-40f8-b0a9-b3054b41b99e | |
| App Protection | c6e44401-4d0a-4542-ab22-ecd4c90d28d7 | |
| App Service | 7ab7862c-4c57-491e-8a45-d52a7e023983 | |
| Arc Public Cloud – Networking | 9449a792-6831-40e2-9097-29dbc6dd4753 | |
| Arc Public Cloud – Servers | aacceff9-8ec3-413c-83eb-cb131aaf55c6 | |
| Arc Token Service | d00b5d58-cae5-42ad-ae0a-5a2e6f7ee6c9 | |
| ASM Campaign Servicing | 0cb7b9ec-5336-483b-bc31-b15b5788de71 | |
| AssistAPI | 2b8844d8-6c87-4fce-97a0-fbec9006e140 | |
| Audit Search Api Service | e158eb19-34ac-4d1b-a930-ec92172f7a97 | |
| Azure Active Directory PowerShell | 1b730954-1685-4b74-9bfd-dac224a7b894 | |
| Azure Advanced Threat Protection | 7b7531ad-5926-4f2d-8a1d-38495ad33e17 | |
| Azure Arc Data Services | bb55177b-a7d9-4939-a257-8ab53a3b2bc6 | |
| Azure Arc Data Services Billing | a12e8ccb-0fcd-46f8-b6a1-b9df7a9d7231 | |
| Azure Data Explorer | 2746ea77-4702-4b45-80ca-3c97e680e8b7 | |
| Azure Data Lake | e9f49c6b-5ce5-44c8-925d-015017e9f7ad | |
| Azure Diagnostics Resource Provider | fd225045-a727-45dc-8caa-77c8eb1b9521 | |
| Azure Guest Container Update Manager | c8f5141d-83e0-4e9a-84d0-bb6677e26f64 | |
| Azure Lab Services Portal | 835b2a73-6e10-4aa5-a979-21dfda45231c | |
| Azure Portal | c44b4083-3bb0-49c1-b47d-974e53cbdf3c | |
| Azure Purview | 73c2949e-da2d-457a-9607-fcc665198967 | |
| Azure Security Insights | 98785600-1bb7-4fb9-b9fa-19afe2c8a360 | |
| Azure SQL Database | 022907d3-0f1b-48f7-badc-1ba6abab6d66 | |
| AzureSupportCenter | 37182072-3c9c-4f6a-a4b3-b3f91cacffce | |
| AzureUpdateCenter | 8c420feb-03df-47cc-8a05-55df0cf3064b | |
| Bing | 9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7 | |
| Business Central to Common Data Service | 88c57617-94ff-4043-a396-8a85a8d38922 | |
| CAP Package Deployer Service | 4c9fc70a-8d18-4528-9113-c6f1318c4d89 | |
| CMAT | 64a7b174-5779-4506-b54c-fbb0d80f1c9b | |
| console-m365d | f18b59c9-5926-4a65-8605-c23ec8c7e074 | |
| Consumption Billing | 12ff570a-8284-47ed-adb3-fcc72b594c36 | |
| ContactsInferencingEmailProcessor | 20a11fe0-faa8-4df5-baf2-f965f8f9972e | |
| CPIM Service | bb2a2e3a-c5e7-4f0a-88e0-8e01fd3fc1f4 | |
| CRM Power BI Integration | e64aa8bc-8eb4-40e2-898b-cf261a25954f | |
| Customer Experience Platform CDPA Provisioning PROD | e3cf99e1-a6e5-4284-9f92-261c7713bc54 | |
| Customer Experience Platform CDPA Provisioning TIP | f5223e1a-4d50-4fda-9049-55d819fbb03e | |
| Customer Service Trial PVA | 944861d3-5975-4f8b-afd4-3422c0b1b6ce | |
| Customer Service Trial PVA – readonly | 6abc93dc-978e-48a3-8e54-458e593ed8cf | |
| Dataverse | 00000007-0000-0000-c000-000000000000 | |
| Dataverse Resource Provider | d6101214-691f-47d0-8ea3-dca752e62d71 | |
| Defender for IoT – Management | 3157152d-b5ae-4606-a145-6c660069bc5e | |
| Device Management Client | de50c81f-5f80-4771-b66b-cebd28ccdfc1 | |
| Dynamics 365 collaboration with Microsoft Teams | a8adde6c-aeb4-4fd6-9d8f-c2dfdecac60a | |
| Dynamics 365 Customer Insights – Consent | 9e3b502c-b4a1-441d-98fd-28e482bf7e88 | |
| Dynamics 365 Universal Resource Scheduling | b2b4502c-fedd-4748-8828-09e1eae11d6a | |
| EASM API | b7faa489-a4c8-4b39-bb0c-842c3de2de6a | |
| easmApiDev | 9a751391-6e9f-4199-ad8d-360712a1285c | |
| Enterprise Roaming and Backup | 60c8bde5-3167-4f92-8fdb-059f6176dc0f | |
| EOP Admin API Web Service | 10214c11-ebd3-44e8-af2f-ebcb8a79c569 | |
| Event Hub MSI App | 6201d19e-14fb-4472-a2d6-5634a5c97568 | |
| EventGrid Data API | 823c0a78-5de0-4445-a7f5-c2f42d7dc89b | |
| Exchange Admin Center | 497effe9-df71-4043-a8bb-14cf78c4b63b | |
| Exchange Online | fe93bfe1-7947-460a-a5e0-7a5906b51360 | |
| Exchange Online | a3883eba-fbe9-48bd-9ed3-dca3e0e84250 | |
| Exchange Online | aa813f0e-407a-459d-93af-805f2bf10f33 | |
| Exchange Online | d396de1f-10d4-4023-aae2-5bb3d724ba9a | |
| Exchange Online | 82d8ab62-be52-a567-14ea-1616c4ee06c4 | |
| Exchange Online | 34421fbe-f100-4e5b-9c46-2fea25aa7b88 | |
| Exchange Online | 1150aefc-07de-4228-b2b2-042a536703c0 | |
| FindTime | f5eaa862-7f08-448c-9c4e-f4047d4d4521 | |
| FindTime | 9758a0e2-7861-440f-b467-1823144e5b65 | |
| Focused Inbox | b669c6ea-1adf-453f-b8bc-6d526592b419 | |
| FrontendTransport | b24835c0-6b13-41e7-822c-94c9effb98ee | |
| Funnel and Engagement Data Service | 707aa1ac-be0a-478d-9ce7-0d2765a5c1d6 | |
| Gatekeeper PPE App | 5a8800f2-f31d-4654-9bed-f5b368c703f8 | |
| Gatekeeper Prod App | 5bab4c7f-51c3-479b-a199-06b31afecc8f | |
| Grade Sync | 75cba773-c367-4ba4-8d4f-65f91b68c384 | |
| Group Configuration Processor | 1690c5aa-925a-4d0e-836b-722c795bd0d0 | |
| GroupsRemoteApiRestClient | c35cb2ba-f88b-4d15-aa9d-37bd443522e1 | |
| HxService | d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0 | |
| Hybrid Connectivity RP | e18cedde-9458-482f-9dd1-558c597ac42e | |
| Hybrid RP Application | d2a590e7-6906-4a45-8f41-cecfdca9bca1 | |
| IAM Supportability | a57aca87-cbc0-4f3c-8b9e-dc095fdc8978 | |
| IC3 Modern Effective Config | f6e5c0c2-4746-4152-b162-91309d5556df | |
| IC3 Modern Effective Config Worker | 481115cb-6d15-4cc0-8caf-f2fee7bfbd2b | |
| Intune DeviceCheckIn ConfidentialClient | 4c1a3aed-b389-4824-99b0-514c07906851 | |
| Intune Remote Help | 7e9f2fca-0cd8-4a6c-a1a0-7ffe48aec7c6 | |
| IpLicensingService | 189cf920-d3d8-4133-9145-23adcc6824fa | |
| Iris Provider EOP Web Service | 61c28d8b-814f-4a57-9c7f-8cd0580aead2 | |
| IrisSelectionFrontDoor | 16aeb910-ce68-41d1-9ac3-9e1673ac9575 | |
| K8 Bridge | 319f651f-7ddb-4fc6-9857-7aef9250bd05 | |
| M365 Compliance Drive | cedebc57-38a2-4f0a-8472-dfcbba5b04c6 | |
| M365 Compliance Drive Client | be1918be-3fe3-4be9-b32b-b542fc27f02e | |
| M365 Lighthouse API | 4eaa7769-3cf1-458c-a693-e9827e39cc95 | |
| M365 Lighthouse Service | d9d5c99e-b0b4-4bad-92cc-5a6eb5421985 | |
| make.powerapps.com | a8f7a65c-f5ba-4859-b2d6-df772c264e9d | |
| Managed Service | 66c6d0d1-f2e7-4a18-97a9-ed10f3347016 | |
| MAPG | cc46c2aa-d508-409b-aeb7-df7cd1e07aaa | |
| Marketplace Api | f738ef14-47dc-4564-b53b-45069484ccc7 | |
| Marketplace SaaS v2 | 5b712e99-51a3-41ce-86ff-046e0081c5c0 | |
| MarketplaceAPI ISV | 20e940b3-4c77-4b0b-9a53-9e16a1b010a7 | |
| MCAPI Authorization Prod | d73f4b35-55c9-48c7-8b10-651f6f2acb2e | |
| Medeina Service | bb3d68c2-d09e-4455-94a0-e323996dbaa3 | |
| Medeina Service Dev | 826870f9-9fbb-4f23-81b8-3a957080dfa2 | |
| Medeina Service PPE | c4de86e3-e322-4889-a781-968c76b6b325 | |
| Media Analysis and Transformation Service | 944f0bd1-117b-4b1c-af26-804ed95e767e | |
| Media Analysis and Transformation Service | 0cd196ee-71bf-4fd6-a57c-b491ffd4fb1e | |
| Media Recording for Dynamics 365 Sales | f448d7e5-e313-4f90-a3eb-5dbb3277e4b3 | |
| Meeting Migration Service | 82f45fb0-18b4-4d68-8bed-9e44909e3890 | |
| Membership View Service | f7a2a81e-ab33-4560-a3dd-6ddca3c5ec6d | |
| Message Header Analyzer | 62916641-fc48-44ae-a2a3-163811f1c945 | |
| Message Recall | 0e90d0b8-039a-4936-a6f4-d25dd510be5d | |
| Messaging Bot API Application for GCC | c9475445-9789-4fef-9ec5-cde4a9bcd446 | |
| Microsfot Intune Company Portal | 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 | |
| Microsoft 365 Security and Compliance Center | 80ccca67-54bd-44ab-8625-4b79c4dc7775 | |
| Microsoft 365 Support Service | ee272b19-4411-433f-8f28-5c13cb6fd407 | |
| Microsoft 365 Ticketing | 510a5356-1745-4855-93a5-113ea589fb26 | |
| Microsoft Account Controls V2 | 7eadcef8-456d-4611-9480-4fff72b8b9e2 | |
| Microsoft Activity Feed Service | d32c68ad-72d2-4acb-a0c7-46bb2cf93873 | |
| Microsoft Alchemy Service | 91ad134d-5284-4adc-a896-d7fd24e9fa15 | |
| Microsoft App Access Panel | 0000000c-0000-0000-c000-000000000000 | |
| Microsoft Application Command Service | 6f7e0f60-9401-4f5b-98e2-cf15bd5fd5e3 | |
| Microsoft Approval Management | 65d91a3d-ab74-42e6-8a2f-0add61688c74 | |
| Microsoft Approval Management | 38049638-cc2c-4cde-abe4-4479d721ed44 | |
| Microsoft Authentication Broker | 29d9ed98-a469-4536-ade2-f981bc1d605e | |
| Microsoft Authenticator App | 4813382a-8fa7-425e-ab75-3b753aab3abb | |
| Microsoft Authenticator App | 4813382a-8fa7-425e-ab75-3b753aab3abb | |
| Microsoft Azure Active Directory Connect | cb1056e2-e479-49de-ae31-7812af012ed8 | |
| Microsoft Azure Authorization Private Link Provider | de926fbf-e23b-41f9-ae15-c943a9cfa630 | |
| Microsoft Azure Authorization Resource Provider | 1dcb1bc7-c721-498e-b2fa-bcddcea44171 | |
| Microsoft Azure CLI | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 | |
| Microsoft Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 | |
| Microsoft Bing Default Search Engine | 1786c5ed-9644-47b2-8aa0-7201292175b6 | |
| Microsoft Bing Search | cf36b471-5b44-428c-9ce7-313bf84528de | |
| Microsoft Bing Search for Microsoft Edge | 2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8 | |
| Microsoft Command Service | 19686ca6-5324-4571-a231-77e026b0e06f | |
| Microsoft Community v2 | a81d90ac-aa75-4cf8-b14c-58bf348528fe | |
| Microsoft Defender for Cloud Apps | 3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7 | |
| Microsoft Defender for Cloud Apps – Session Controls | 8a0c2593-9cbc-4f86-a247-beb7aab00d83 | |
| Microsoft Defender for Identity (formerly Radius Aad Syncer) | 60ca1954-583c-4d1f-86de-39d835f3e452 | |
| Microsoft Docs | 18fbca16-2224-45f6-85b0-f7bf2b39b3f3 | |
| Microsoft Dynamics 365 Supply Chain Visibility | d6037e40-282c-493d-8f63-f255e36c6ef4 | |
| Microsoft Dynamics ERP | 00000015-0000-0000-c000-000000000000 | |
| Microsoft Dynamics ERP Microservices CDS | 703e2651-d3fc-48f5-942c-74274233dba8 | |
| Microsoft Edge Enterprise New Tab Page | d7b530a4-7680-4c23-a8bf-c52c121d2e87 | |
| Microsoft Edge Insider Addons Prod | 6253bca8-faf2-4587-8f2f-b056d80998a7 | |
| Microsoft Entra AD Synchronization Service | 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016 | |
| Microsoft Exchange ForwardSync | 99b904fd-a1fe-455c-b86c-2f9fb1da7687 | |
| Microsoft Exchange Online Protection | 00000007-0000-0ff1-ce00-000000000000 | |
| Microsoft Exchange Online Remote PowerShell | a0c73c16-a7e3-4564-9a95-2bdf47383716 | |
| Microsoft Exchange ProtectedServiceHost | 51be292c-a17e-4f17-9a7e-4b661fb16dd2 | |
| Microsoft Exchange REST API Based Powershell | fb78d390-0c51-40cd-8e17-fdbfab77341b | |
| Microsoft Exchange Web Services | 47629505-c2b6-4a80-adb1-9b3a3d233b7b | |
| Microsoft Flow Mobile PROD-GCCH-CN | 57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0 | |
| Microsoft Forms | c9a559d2-7aab-4f13-a6ed-e7e9c52aec87 | |
| Microsoft Graph | 00000003-0000-0000-c000-000000000000 | |
| Microsoft Intune Company Portal | 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 | |
| Microsoft Intune Web Company Portal | 74bcdadc-2fdc-4bb3-8459-76d06952a0e9 | |
| Microsoft Intune Windows Agent | fc0f3af4-6835-4174-b806-f7db311fd2f3 | |
| Microsoft Office | d3590ed6-52b3-4102-aeff-aad2292ab01c | |
| Microsoft Office 365 Portal | 00000006-0000-0ff1-ce00-000000000000 | |
| Microsoft Office Web Apps Service | 67e3df25-268a-4324-a550-0de1c7f97287 | |
| Microsoft Online Syndication Partner Portal | d176f6e7-38e5-40c9-8a78-3998aab820e7 | |
| Microsoft password reset service | 93625bc8-bfe2-437a-97e0-3d0060024faa | |
| Microsoft Planner | 66375f6b-983f-4c2c-9701-d680650f588f | |
| Microsoft Power BI | 871c010f-5e61-4fb1-83ac-98610a7e9110 | |
| Microsoft Power BI | c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12 | |
| Microsoft Power Query for Excel | a672d62c-fc7b-4e81-a576-e60dc46e951d | |
| Microsoft Purview Platform | fd642066-7bfc-4b65-9463-6a08841c12f0 | |
| Microsoft SharePoint Online Management Shell | 9bc3ab49-b65d-410a-85ad-de819febfddc | |
| Microsoft Storefronts | 28b567f6-162c-4f54-99a0-6887f387bbcc | |
| Microsoft Stream Mobile Native | 844cca35-0656-46ce-b636-13f48b0eecbd | |
| Microsoft Stream Portal | cf53fce8-def6-4aeb-8d30-b158e7b1cf83 | |
| Microsoft Substrate Management | 98db8bd6-0cc0-4e67-9de5-f187f1cd1b41 | |
| Microsoft Support | fdf9885b-dd37-42bf-82e5-c3129ef5a302 | |
| Microsoft Support Diagnostics | 5b534afd-fdc0-4b38-a77f-af25442e3149 | |
| Microsoft Teams | 1fec8e78-bce4-4aaf-ab1b-5451cc387264 | Assume attacker has access to all teams messages |
| Microsoft Teams – Device Admin Agent | 87749df4-7ccf-48f8-aa87-704bad0e0e16 | |
| Microsoft Teams Admin Gateway Service | 78462efa-e271-409c-a90b-ce3fbd93538a | |
| Microsoft Teams Admin Portal Service | 2ddfbe71-ed12-4123-b99b-d5fc8a062a79 | |
| Microsoft Teams Copilot Bot | 8e55a7b1-6766-4f0a-8610-ecacfe3d569a | |
| Microsoft Teams IP Policy Service | 1303f293-64bd-48ba-89b0-6bf538bc67f3 | |
| Microsoft Teams Services | cc15fd57-2c6c-4117-a88c-83b1d56b4bbe | |
| Microsoft Teams Web Client | 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 | |
| Microsoft To-Do client | 22098786-6e16-43cc-a27d-191a01a1e3b5 | |
| Microsoft Tunnel | eb539595-3fe1-474e-9c1d-feb3625d1be5 | |
| Microsoft Whiteboard Client | 57336123-6e14-4acc-8dcf-287b6088aa28 | |
| Microsoft Whiteboard Services | 95de633a-083e-42f5-b444-a4295d8e9314 | |
| Microsoft.Azure.DomainRegistration | ea2f600a-4980-45b7-89bf-d34da487bda1 | |
| Microsoft.ConnectedVMwarevSphere Resource Provider | ac9dc5fe-b644-4832-9d03-d9f1ab70c5f7 | |
| Microsoft.EventGrid | 4962773b-9cdb-44cf-a8bf-237846a00ab7 | |
| Microsoft.EventHubs | 80369ed6-5f11-4dd9-bef3-692475845e77 | |
| Microsoft.HybridCompute Agent Service | eec53b1f-b9a4-4479-acf5-6b247c6a49f2 | |
| MicrosoftAzureActiveAuthn | 0000001a-0000-0000-c000-000000000000 | |
| Mimir | aaf3f152-fe17-487b-b671-44d3f7bad293 | |
| MIP Exchange Solutions – ODB | 8adc51cc-7477-49a4-be4e-263946b4d561 | |
| MIP Exchange Solutions – SPO | 192644fe-6aac-4786-8d93-775a056aa1de | |
| MIP Exchange Solutions – Teams | 2c220739-d44d-4bf7-ba5f-95cf9fb7f10c | |
| MM_Reactions_PME_PROD | e8e8fc40-94d5-4ed6-89f2-9e5ec6c1e11e | |
| Modern Support Connector | 75861f5e-a448-49d7-9c99-6b59bc88c6dc | |
| Modern Workplace Customer APIs | c9d36ed4-91b3-4c87-b8d7-68d92826c96c | |
| MS-CE-CXG-MAC-AadShadowRoleWriter | 2f5afa01-cdcb-4707-a62a-0803cc994c60 | |
| MTS | 6682cfa5-2710-44c9-adb8-5ac9d76e394a | |
| O365 SkypeSpaces Ingestion Service | dfe74da8-9279-44ec-8fb2-2aed9e1c73d0 | |
| O365 Suite UX | 4345a7b9-9a63-4910-a426-35363201d503 | |
| Office 365 | 72782ba9-4490-4f03-8d82-562370ea3566 | |
| Office 365 Client Insights Substrate Services Prod | c94526fa-9f4b-4d30-99f5-849636e4552f | |
| Office 365 Exchange Online | 00000002-0000-0ff1-ce00-000000000000 | |
| Office 365 Management | 00b41c95-dab0-4487-9791-b9d2c32c80f2 | |
| Office 365 Search Service | 66a88757-258c-4c72-893c-3e8bed4d6899 | |
| Office 365 SharePoint Online | 00000003-0000-0ff1-ce00-000000000000 | |
| Office Delve | 94c63fef-13a3-47bc-8074-75af8c65887a | |
| Office Online Add-in SSO | 93d53678-613d-4013-afc1-62e9e444a0a5 | |
| Office Online Augmentation Loop SSO | 2abdc806-e091-4495-9b10-b04d93c3f040 | |
| Office Online Client Microsoft Entra ID- Augmentation Loop | 2abdc806-e091-4495-9b10-b04d93c3f040 | |
| Office Online Client Microsoft Entra ID- Loki | b23dd4db-9142-4734-867f-3577f640ad0c | |
| Office Online Client Microsoft Entra ID- Maker | 17d5e35f-655b-4fb0-8ae6-86356e9a49f5 | |
| Office Online Client MSA- Loki | b6e69c34-5f1f-4c34-8cdf-7fea120b8670 | |
| Office Online Core SSO | 243c63a3-247d-41c5-9d83-7788c43f1c43 | |
| Office Online Loki SSO | b23dd4db-9142-4734-867f-3577f640ad0c | |
| Office Online Maker SSO | 17d5e35f-655b-4fb0-8ae6-86356e9a49f5 | |
| Office Online OWLNest | d7d7af51-cdcd-4a4c-9467-86e7dc5d2b90 | |
| Office Online Print SSO | 3ce44149-e365-40e4-9bb4-8c0ecb710fe6 | |
| Office Online Search | a9b49b65-0a12-430b-9540-c80b3332c127 | |
| Office Online Search SSO | 5a4eed13-c4c4-4b4c-9506-334ab200bf31 | |
| Office UWP PWA | 0ec893e0-5785-4de6-99da-4ed124e5296c | |
| Office.com | 4b233688-031c-404b-9a80-a4f3f2351f90 | |
| Office365 Shell WCSS-Client | 89bee1f7-5e6e-4d8a-9f3d-ecd601259da7 | |
| Office365 Shell WCSS-Server | 5f09333a-842c-47da-a157-57da27fcbca5 | |
| OfficeClientService | 0f698dd4-f011-4d23-a33e-b36416dcb1e6 | |
| OfficeHome | 4765445b-32c6-49b0-83e6-1d93765276ca | Usually the application the proxy of a MiTM Phishing Campaign will sign into. However, many legitimate use-cases. |
| OfficeShredderWacClient | 4d5c2d63-cf83-4365-853c-925fd1a64357 | |
| Olympus | bb893c22-978d-4cd4-a6f7-bb6cc0d6e6ce | |
| OMSOctopiPROD | 62256cef-54c0-4cb4-bcac-4c67989bdc40 | |
| One Outlook Web | 9199bf20-a13f-4107-85dc-02114787ef48 | |
| OneDrive | b26aadf8-566f-4478-926f-589f601d9c74 | |
| OneDrive iOS App | af124e86-4e96-495a-b70a-90f90ab96707 | |
| OneDrive Sync Engine | ab9b8c07-8f02-4f72-87fa-80105867a763 | |
| OneDrive SyncEngine | ab9b8c07-8f02-4f72-87fa-80105867a763 | |
| OneDriveLTI | 4f547b5f-c3f7-4d2c-a14f-0f8f1286d7d5 | |
| OneLTI | d3ee6f25-becc-4659-9bc6-bbe6af7d18e6 | |
| OneNote | 2d4d3d8e-2be3-4bef-9f87-7875a61c29de | |
| Outlook Web App Widgets | 87223343-80b1-4097-be13-2332ffa1d666 | |
| Partner Customer Delegated Admin Migration | b39d63e7-7fa3-4b2b-94ea-ee256fdb8c2f | |
| Partner Customer Delegated Admin Offline Processor | a3475900-ccec-4a69-98f5-a65cd5dc5306 | |
| Partner Customer Delegated Administration | 2832473f-ec63-45fb-976f-5d45a7d4bb91 | |
| PartnerCenterCustomerServiceAppProd | 34cabb34-90ae-4aca-b8c3-c457dbedf145 | |
| Password Breach Authenticator | bdd48c81-3a58-4ea9-849c-ebea7f6b6360 | |
| PeoplePredictions | 35d54a08-36c9-4847-9018-93934c62740c | |
| Policy Processor | 1b489150-9b00-413a-83fd-6ef8f05b6e28 | |
| Power BI Desktop | 7f67af8a-fedc-4b08-8b4e-37c4d127b6cf | |
| Power BI Service | 00000009-0000-0000-c000-000000000000 | |
| Power Platform Admin Center | 065d9450-1e87-434e-ac2f-69af271549ed | |
| Power Platform Governance Services – TIRPS | 2b5e68f0-bdc2-45b0-920a-217d5cbbd505 | |
| Power Platform Insights and Recommendations Prod | 6b650392-d446-472e-a422-e47047790237 | |
| Power Virtual Agents Service | 9d8f559b-5984-46a4-902a-ad4271e83efa | |
| PowerApps | 4e291c71-d680-4d0e-9640-0a3358e31177 | |
| PowerApps – apps.powerapps.com | 3e62f81e-590b-425b-9531-cad6683656cf | |
| ProductsLifecycleApp | c09dc6d6-3bff-482b-8e40-68b3ad65f3fa | |
| PTSS | 9f6c88b7-0272-4581-a75a-ec0340824ed1 | |
| Purview Ecosystem | 9ec59623-ce40-4dc8-a635-ed0275b5d58a | |
| Reading Assignments | 22d27567-b3f0-4dc2-9ec2-46ed368ba538 | |
| Report Message | 6046742c-3aee-485e-a4ac-92ab7199db2e | |
| Scheduling | ae8e128e-080f-4086-b0e3-4c19301ada69 | |
| SEAL All credentials | 38df11dd-582e-4207-be6f-b214675f44a1 | |
| SEAL SNI | c10f411a-874c-485c-9d66-6e0b34202c41 | |
| SharedWithMe | ffcb16e8-f789-467c-8ce9-f826a080d987 | |
| SharePoint | d326c1ce-6cc6-4de2-bebc-4591e5e13ef0 | |
| SharePoint Android | f05ff7c9-f75a-4acd-a3b5-f4b6a870245d | |
| SharePoint Online Client Extensibility | c58637bb-e2e1-4312-8a00-04b5ffcd3403 | |
| SharePoint Online Web Client Extensibility | 08e18876-6177-487e-b8b5-cf950c1e598c | |
| Signup | b4bddae8-ab25-483e-8670-df09b9f1d0ea | |
| Skype Core Calling Service | 66c23536-2118-49d3-bc66-54730b057680 | |
| Skype For Business Entitlement | ef4c7f67-65bd-4506-8179-5ddcc5509aeb | |
| Skype for Business Online | 00000004-0000-0ff1-ce00-000000000000 | |
| SpoolsProvisioning | 61109738-7d2b-4a0b-9fe3-660b1ff83505 | |
| SSO Extension Intune | 163b648b-025e-455b-9937-a7f39a65d171 | |
| Sticky Notes API | 91ca2ca5-3b3e-41dd-ab65-809fa3dffffa | |
| Substrate Context Service | 13937bba-652e-4c46-b222-3003f4d1ff97 | |
| Substrate Search Settings Management Service | a970bac6-63fe-4ec5-8884-8536862c42d4 | |
| SubstrateDirectoryEventProcessor | 26abc9a8-24f0-4b11-8234-e86ede698878 | |
| Sway | 905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba | |
| Teams CMD Services Artifacts | 6bc3b958-689b-49f5-9006-36d165f30e00 | |
| Teams NRT DLP Ingestion Service | 0ef94e72-e4fc-4aa0-a8f4-ff27deb3e6eb | |
| Teams NRT DLP Service | 7a274595-3618-4e6f-b54e-05bb353e0153 | |
| TeamsChatServiceApp | 4cba1704-a0c1-45ee-9d41-fe75b4ef9190 | |
| TeamsLinkedInLiveApp | 31ba6d5c-2e14-40fb-bbcb-27dc8a1bfaf5 | |
| teamsupgradeorchestrator-app | 3cf798a6-b0c5-4d5c-9645-b5273d471fc5 | |
| Transcript Ingestion | 97cb1f73-50df-47d1-8fb0-0271f2728514 | |
| TrustedPublishersProxyService | 2b61b865-d0bd-4c60-9efa-6fa934eefaac | |
| Universal Print | da9b70f6-5323-4ce6-ae5c-88dcc5082966 | |
| Universal Print Connector | 80331ee5-4436-4815-883e-93bc833a9a15 | |
| Universal Print Enabled Printer | 417ae6eb-aac8-42c8-900c-0e50debba688 | |
| Universal Print Native Client | dae89220-69ba-4957-a77a-47b78695e883 | |
| Universal Print PS Module | aad98258-6bb0-44ed-a095-21506dfb68fe | |
| Universal Store Entitlements Service | bf7b96b3-68e4-4fd9-b697-637f0f1e778c | |
| Universal Store Native Client | 268761a2-03f3-40df-8a8b-c3db24145b6b | |
| ViewPoint | 8338dec2-e1b3-48f7-8438-20c30a534458 | |
| Virtual Connector Provider | 1762e607-063e-431a-a25a-f0f782acb73b | |
| Virtual Visits App | 2b479c68-8d9b-4e27-9d85-5d74803de734 | |
| Visual Studio – Legacy | 872cd9fa-d31f-45e0-9eab-6e460a02d1f1 | |
| Viva Engage (formerly Yammer) | 00000005-0000-0ff1-ce00-000000000000 | |
| WeveEngine | 3c896ded-22c5-450f-91f6-3d1ef0848f6e | |
| Windows 365 | 0af06dc6-e4b5-4f28-818e-e78e62d137a5 | |
| Windows Azure Active Directory | 00000002-0000-0000-c000-000000000000 | |
| Windows Azure Security Resource Provider | 8edd93e1-2103-40b4-bd70-6e34e586362d | |
| Windows Azure Service Management API | 797f4846-ba00-4fd7-ba43-dac1f8f63013 | |
| Windows Notification Service | 04436913-cf0d-4d2a-9cc6-2ffe7f1d3d1c | |
| Windows Search | 26a7ee05-5602-4d76-a7ba-eae8b7b67941 | |
| Windows Sign In | 38aa3b87-a06d-4817-b275-7a316988d93b | |
| Windows Spotlight | 1b3c667f-cde3-4090-b60b-3d2abd0117f0 | |
| Windows Store for Business | 45a330b1-b1ec-4cc1-9161-9f03992aa49f | |
| Windows Update for Business Cloud Extensions PowerShell | d5097d05-956f-4ae2-b6a2-eff25f5689b3 | |
| Windows Update for Business Deployment Service | 61ae9cd9-7bca-458c-affc-861e2f24ba3b | |
| WindowsDefenderATP Portal | a3b79187-70b2-4139-83f9-6016c58cd27b | |
| Yammer iPhone | a569458c-7f2b-45cb-bab9-b7dee514d112 | |
| Yammer Web | c1c74fed-04c9-4704-80dc-9f79a2e515cb | |
| Yammer Web Embed | e1ef36fd-b883-4dbf-97f0-9ece4b576fc6 | |
| ZTNA Data Acquisition – PROD | 7dd7250c-c317-4bc6-8528-8d27b02707ef | |
| ZTNA Policy Service Graph Client | 3b80cd3f-61ca-49b0-8d0f-7b6760e08705 |
Sources
- https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in
- https://github.com/randomaccess3/detections/blob/main/M365_Oauth_Apps/MaliciousOauthAppDetections.json
- https://github.com/merill/microsoft-info/blob/main/customdata/OtherMicrosoftApps.csv
- https://gist.github.com/dafthack/2c0bbcac72b10c1ee205d1dd2fed3fe7
This is great, you should push them to the Rogue apps project
https://github.com/huntresslabs/rogueapps
Realising now that all of the bad ones are in my JSON and I should push them to Rogue apps…
Great idea, appreciate the comment Phill!
This is an incredibly valuable resource — especially for anyone handling BEC investigations in M365 environments. Having the Application IDs mapped out like this makes threat hunting and log analysis so much more efficient.
Really appreciate the effort that’s gone into compiling and organising this — definitely something security teams will bookmark.