Microsoft 365 Administrator Expert MS-102 Practice Question

In the Defender for Cloud Apps activity log, the event that records a user or administrator granting OAuth permissions to an Azure AD application is "Consent to application." Filtering the log for this Activity type immediately narrows the results to permission-grant events only. Adding a filter for the Application ID or display name (Contoso-Reports) ensures that only events involving the suspicious app are shown. Once the single event is isolated, the log columns reveal the acting user (granted by), the date/time, the source IP address, and other context. The other options either reference activity types that are not written for OAuth consent (such as service principal creation or privilege escalation) or use filters (App equals Office 365, Device tag, etc.) that would return many unrelated events, making the investigation slower and potentially missing the consent event entirely.