detecting-suspicious-oauth-application-consent

Solid

Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit logs, and permission analysis to identify illicit consent grant attacks.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
91
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Suspicious OAuth Application Consent ## Overview Illicit consent grant attacks trick users into granting excessive permissions to malicious OAuth applications in Azure AD / Microsoft Entra ID. This skill uses the Microsoft Graph API to enumerate OAuth2 permission grants, analyze application permissions for overly broad scopes, review directory audit logs for consent events, and flag high-risk applications based on publisher verification status and permission scope. ## When to Use - When investigating security incidents that require detecting suspicious oauth application consent - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Azure AD / Entra ID tenant with Global Reader or Security Reader role - Microsoft Graph API access with `Application.Read.All`, `AuditLog.Read.All`, `Directory.Read.All` - Python 3.9+ with `msal`, `requests` - App registration with client secret or certificate for authentication ## Steps 1. Authenticate to Microsoft Graph using MSAL client credentials flow 2. Enumerate all OAuth2 permission grants via `/oauth2PermissionGrants` 3. List service principals and their assigned application permissions 4. Query directory audit logs for `Consent to application` events 5. Flag applications with high-risk scopes (Mail.Read, Files.ReadWrite.All, etc.) 6. Ch...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Azure · Cloud OAuth · Auth

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-azure-lateral-movement

Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-oauth-token-theft

Detects and responds to OAuth token theft and replay attacks in cloud environments, focusing on Microsoft Entra ID (Azure AD) token protection, conditional access policies, and sign-in anomaly detection. Covers access token theft, refresh token replay, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Activates for requests involving OAuth token theft detection, token replay prevention, Azure AD conditional access token protection, or cloud identity attack investigation.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-office365-audit-logs-for-compromise

Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.

12,642 Updated today
mukul975
API & Backend Featured

performing-oauth-scope-minimization-review

Performs OAuth 2.0 scope minimization review to identify over-permissioned third-party application integrations, excessive API scopes, unused token grants, and risky OAuth consent patterns across identity providers and SaaS platforms. Activates for requests involving OAuth scope audit, API permission review, third-party app risk assessment, or consent grant minimization.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

detecting-azure-service-principal-abuse

Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.

12,642 Updated today
mukul975