The Entra ID Attack Nobody Audits

• What illicit consent grants really are
• How refresh tokens and offline_access keep attackers in even after you reset passwords
• The three Entra controls that collapse most of this attack surface
• How to detect, prove, and remediate malicious OAuth grants in your tenant

If you think “we forced sign-out and reset passwords, so we’re safe,” this episode is your wake-up call. What You’ll Learn in This Episode

1. What Illicit OAuth Consent Grants Actually Are

• Why this is authorization abuse, not credential theft
• How a “harmless” Microsoft consent screen turns into:
  • Mail.Read / Mail.ReadWrite → inbox and attachment visibility
  • Files.Read.All / Files.ReadWrite.All → SharePoint & OneDrive sweep
  • Directory.ReadWrite.All → identity pivot and tenant tampering
• Why MFA doesn’t fire: the app acts with your delegated permissions, using tokens, not logins
• The critical role of offline_access as a persistence flag

2. Why MFA and Password Resets Don’t Save You

• How refresh tokens keep minting new access tokens long after you:
  • Reset passwords
  • Enforce MFA
  • “Force sign-out” for a user
• Why OAuth consent lives in a different lane:
  • User authentication events vs. app permission events
  • Why revoking the grant beats resetting the password every time
• Delegated vs. application permissions:
  • Delegated: act as the user
  • Application: act as a service, often tenant-wide

3. The Three Non-Negotiable Entra Controls You Must Set You’ll get a clear checklist of Entra ID / Azure AD controls:

1. Lock Down User Consent
   • Disable user consent entirely or
   • Allow only verified publishers and low-risk scopes
   • Exclude: offline_access, Files..All, Mail.ReadWrite, Directory.
2. Require Verified Publishers
   • Only apps with Verified Publisher status can receive user consent
   • Force attackers into admin consent lanes where visibility and scrutiny are higher
3. Enable & Enforce Admin Consent Workflow
   • Route risky scope requests (Mail.Read, Files.ReadWrite.All, Directory.ReadWrite.All, etc.)
     into a structured approval process
   • Require justification, business owner, and expiry for approvals
   • Use permission grant policies and least privilege as the default

4. Case Study: Proving MFA & Resets Don’t Revoke Grants We walk through a clean, reproducible scenario:

• User approves a “Productivity Sync” app with Mail.Read + offline_access
• Attacker uses Microsoft Graph to read mail and pull attachments—quietly
• Blue team resets password, enforces MFA, forces sign-out
• App keeps working because the OAuth grant and refresh token still exist
• The only real fix: revoke the OAuth grant / service principal permissions

You’ll come away with a mental model of why your normal incident playbook fails against app-based attacks. 5. Detection: Logs, Queries, and What to Flag Immediately We cover the high-signal events and patterns you should be hunting:

• Key audit events:
  • Add servicePrincipalOAuth2PermissionGrant
  • Update application
  • Add passwordCredential / Add keyCredential
• How to triage suspicious apps:
  • Unknown service principals
  • Unverified publishers
  • High-risk scopes: offline_access, Mail., Files..All, Directory.*
• Inventory & queries (Graph / PowerShell) to map:
  • Who granted what
  • Which apps hold risky scopes
  • Tenant-wide consents (consentType = AllPrincipals)

6. Remediation & Hardening: Purge, Review, Enforce, Repeat You’ll get a remediation playbook you can adapt:

• Immediate:
  • Remove OAuth2PermissionGrants for malicious apps
  • Remove or rotate app secrets and certificates
  • Delete rogue service principals
• Assessment:
  • Review mailbox, SharePoint, and directory impact based on granted scopes
• Hardening:
  • Implement deny-by-default permission grant policies
  • Build a scope catalog of: allowed, conditional, and blocked scopes
  • Schedule recurring access reviews for apps and consents
  • Dashboard: long-lived grants, risky scopes, and grants to privileged users

Who This Episode Is For

• CISOs & security leaders running Microsoft 365 / Entra ID
• Identity & access management teams
• SOC & detection engineers
• Cloud security / platform engineering teams
• Red teams & blue teams modeling OAuth abuse and MFA bypass

Key Terms Covered

• OAuth Consent / Illicit Consent Grants
• Refresh Tokens & offline_access
• Delegated vs. Application Permissions
• Admin Consent Workflow
• Verified Publisher
• Service Principal & OAuth2PermissionGrant
• Microsoft Graph–based exfiltration

Call to Action Next steps after listening:

1. Lock user consent: restrict or disable it, and remove offline_access from low-risk scopes.
2. Enable Verified Publisher enforcement for all user-consent scenarios.
3. Turn on and use Admin Consent Workflow—no more “one-click tenant skeleton keys.”
4. Audit existing grants for offline_access + *.All scopes and revoke anything suspicious.
5. Subscribe for the follow-up episode on real Microsoft Graph queries and KQL detections to automate this hunt.

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast–6704921/support.

Follow us on:
LInkedIn
Substack