Searching for Azure Ad Consent Permission Grants for High-Precedence Permissions
This 7 days, I wrote about Azure Advert programs with substantial-priority permissions, described as Microsoft Graph and other permissions that attackers could exploit to access, update, and exfiltrate information. For instance, if an application retains the Mail.ReadWrite software permission, it can read through and create all mailboxes in the tenant. The script generates a report that is posted to a Groups channel to make it possible for directors to assessment the programs keeping the specified permissions.
Illicit Consents
If you analyze the data returned by Azure Ad for an app, you’ll see that though we can determine out the permissions assigned to the application, but Azure Advertisement does not explain to you who consented to the authorization and when they consented. This could be an essential signal that an attacker has managed to accomplish an illicit consent grant, defined as happening when:
“the attacker makes an Azure-registered application that requests accessibility to details such as get in touch with info, e-mail, or files. The attacker then methods an conclusion person into granting that software consent to access their info possibly by a phishing assault.”
An illicit consent grant for access to an personal user’s knowledge is poor. A single that outcomes in an administrator granting consent to an software for a higher-priority authorization that the attacker can subsequently leverage could be catastrophic.
Checking for Azure Advertisement Consent Authorization Grant Audit Information
Just one way to uncover the very last time when an adjustment transpired to app permissions is to search the Azure Advert audit logs for data for the Consent to application motion, filtering the established to obtain these matching the service principal identifier for an app. I didn’t do this in the script described in the write-up, Let’s investigate how a consent check may well function.
Initially, let us assume that the script has operate and detected an software keeping some superior-priority permissions. Its attributes could possibly glimpse like this:
DisplayName : MalwareExample ServicePrincipalId : 6df52e04-63b2-4007-af69-40430ee5a1d1 Publisher : Workplace 365 for IT Professionals Permissions : Mail.ReadWrite, Mail.Send out SPType : Software CreatedDate : 12/09/2022 22:41 RecentApp : Correct
To scan the Azure Ad audit logs for any consent granted documents for this app, we could use a command like this to see if an audit record exists. The research goes again 30 days.
[array]$AuditRecords = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Consent to application' AND final result eq 'Success' AND targetResources/any(tr:tr/id eq '$($app.serviceprincipalid)')" -leading 1
If an audit file is observed, it will seem like this:
ActivityDateTime : 12/09/2022 21:42:49 ActivityDisplayName : Consent to application AdditionalDetails : Consumer-Agent, AppId Category : ApplicationManagement CorrelationId : 005cc13f-9fd5-4b95-89ce-19802a7a785f Id : Directory_005cc13f-9fd5-4b95-89ce-19802a7a785f_72CWK_111329857 InitiatedBy : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAuditActivityInitiator1 LoggedByService : Main Listing OperationType : Assign Consequence : good results ResultReason : TargetResources : 6df52e04-63b2-4007-af69-40430ee5a1d1 UserAgent : AdditionalProperties :
We can see that the consent was granted a moment immediately after the creation date for the app. That could be a suspicious signal, but it could possibly also be the end result of granting permissions promptly following developing an app.
The InitiatedBy property is a advanced object. Parsing it out, we can eventually uncover who granted consent.
$AuditRecords.InitiatedBy.consumer.UserPrincipalName Admin@Office365itpros.com
Regrettably, that’s about all we can discover from the audit log applying the Get-MgAuditLogDirectoryAudit cmdlet. Some further info is available in the Azure Advert admin centre (Determine 1).

Azure Advert sends its audit facts to the Office environment 365 audit log and you can also lookup there employing a command like this:
[array]$records = Look for-UnifiedAuditLog -StartDate (Get-Day).AddDays(-90) -EndDate (Get-Day).AddDays(1) -Formatted -ResultSize 5000 -Operations "Consent to application"
The Business 365 audit log retailers data for 90 days (for accounts with Place of work 365 E3 licenses) or 365 times (accounts with Office environment 365 E5 licenses). If you do not locate audit data in Azure Advertisement, checking the Office environment 365 audit log can supply a outcome. The downside of applying the Business office 365 audit log is that it is likely likely to be slower to obtain any information simply because there’s much more information to search and a particular look for filter is not obtainable as it when applying Get-MgAuditLogDirectoryAudit to examine Azure Advert audit records.
The audit knowledge is beneficial data that could assistance determine any problematic consent grants that may switch out to be illicit, but the facts are only effective if individuals pay out notice to permissions granted to apps, specifically the high-profile permissions.
A Script to Update
Now that we know how to query the Azure Ad audit logs to discover information for consent grants for an app, it would be quick to update the script to include things like the check out in the code. The toughest portion is most likely the update to consist of the audit info in the HTML physique of the concept to post to Teams. I’ll go away the script update as an workout for the reader!
The key level is that Azure applications should not be remaining unsupervised. What ever method you decide on to test these applications, make confident it occurs routinely and that another person is responsible for examining the studies and other outputs to detect any issues.
Discover far more about how the Place of work 365 purposes really work on an ongoing basis by subscribing to the Workplace 365 for IT Pros E book. Our regular updates maintain subscribers informed about what is essential throughout the Office environment 365 ecosystem.