This episode is a drill for security leaders, identity admins, and anyone running Microsoft 365 / Entra (Azure AD). We walk through how attackers weaponize OAuth consent—not password theft—to gain persistent access to email, files, and directory data without triggering traditional MFA defenses. You’ll hear a full breakdown of:What illicit consent grants really areHow refresh tokens and offline_access keep attackers in even after you reset passwordsThe three Entra controls that collapse most of this attack surfaceHow to detect, prove, and remediate malicious OAuth grants in your tenantIf you think “we forced sign-out and reset passwords, so we’re safe,” this episode is your wake-up call. What You’ll Learn in This EpisodeWhat Illicit OAuth Consent Grants Actually AreWhy this is authorization abuse, not credential theftHow a “harmless” Microsoft consent screen turns into:Mail.Read / Mail.ReadWrite → inbox and attachment visibilityFiles.Read.All / Files.ReadWrite.All → SharePoint & OneDrive sweepDirectory.ReadWrite.All → identity pivot and tenant tamperingWhy MFA doesn’t fire: the app acts with your delegated permissions, using tokens, not loginsThe critical role of offline_access as a persistence flag2. Why MFA and Password Resets Don’t Save YouHow refresh tokens keep minting new access tokens long after you:Reset passwordsEnforce MFA“Force sign-out” for a userWhy OAuth consent lives in a different lane:User authentication events vs. app permission eventsWhy revoking the grant beats resetting the password every timeDelegated vs. application permissions:Delegated: act as the userApplication: act as a service, often tenant-wide3. The Three Non-Negotiable Entra Controls You Must Set You’ll get a clear checklist of Entra ID / Azure AD controls:Lock Down User ConsentDisable user consent entirely orAllow only verified publishers and low-risk scopesExclude: offline_access, Files..All, Mail.ReadWrite, Directory.Require Verified PublishersOnly apps with Verified Publisher status can receive user consentForce attackers into admin consent lanes where visibility and scrutiny are higherEnable & Enforce Admin Consent WorkflowRoute risky scope requests (Mail.Read, Files.ReadWrite.All, Directory.ReadWrite.All, etc.)into a structured approval processRequire justification, business owner, and expiry for approvalsUse permission grant policies and least privilege as the default4. Case Study: Proving MFA & Resets Don’t Revoke Grants We walk through a clean, reproducible scenario:User approves a “Productivity Sync” app with Mail.Read + offline_accessAttacker uses Microsoft Graph to read mail and pull attachments—quietlyBlue team resets password, enforces MFA, forces sign-outApp keeps working because the OAuth grant and refresh token still existThe only real fix: revoke the OAuth grant / service principal permissionsYou’ll come away with a mental model of why your normal incident playbook fails against app-based attacks. 5. Detection: Logs, Queries, and What to Flag Immediately We cover the high-signal events and patterns you should be hunting:Key audit events:Add servicePrincipalOAuth2PermissionGrantUpdate applicationAdd passwordCredential / Add keyCredentialHow to triage suspicious apps:Unknown service principalsUnverified publishersHigh-risk scopes: offline_access, Mail., Files..All, Directory.*Inventory & queries (Graph / PowerShell) to map:Who granted whatWhich apps hold risky scopesTenant-wide consents (consentType = AllPrincipals)6. Remediation & Hardening: Purge, Review, Enforce, Repeat You’ll get a remediation playbook you can adapt:Immediate:Remove OAuth2PermissionGrants for malicious appsRemove or rotate app secrets and certificatesDelete rogue service principalsAssessment:Review mailbox, SharePoint, and directory impact based on granted scopesHardening:Implement deny-by-default permission grant policiesBuild a scope catalog of: allowed, conditional, and blocked scopesSchedule recurring access reviews for apps and consentsDashboard: long-lived grants, risky scopes, and grants to privileged usersWho This Episode Is ForCISOs & security leaders running Microsoft 365 / Entra IDIdentity & access management teamsSOC & detection engineersCloud security / platform engineering teamsRed teams & blue teams modeling OAuth abuse and MFA bypassKey Terms CoveredOAuth Consent / Illicit Consent GrantsRefresh Tokens & offline_accessDelegated vs. Application PermissionsAdmin Consent WorkflowVerified PublisherService Principal & OAuth2PermissionGrantMicrosoft Graph–based exfiltrationCall to Action Next steps after listening:Lock user consent: restrict or disable it, and remove offline_access from low-risk scopes.Enable Verified Publisher enforcement for all user-consent scenarios.Turn on and use Admin Consent Workflow—no more “one-click tenant skeleton keys.”Audit existing grants for offline_access + *.All scopes and revoke anything suspicious.Subscribe for the follow-up episode on real Microsoft Graph queries and KQL detections to automate this hunt.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support.Follow us on:LInkedInSubstack

Ver todos los episodios