Detect Cloud Application Integration in Microsoft Sentinel
This detection identifies adversaries achieving persistence in SaaS environments by abusing OAuth application integrations. Attackers register malicious applications, hijack existing integrations, or consent to adversary-controlled apps from high-privileged accounts to maintain access even after account compromise or password resets. Detection focuses on anomalous OAuth consent grants, new application registrations, service principal creation, and permission escalation events in Microsoft 365, Azure AD/Entra ID, and Google Workspace environments. Particular attention is paid to admin consent grants for high-privilege scopes, application registrations from non-admin users, and OAuth grants that occur outside normal business workflows.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1671 Cloud Application Integration
- Canonical reference
- https://attack.mitre.org/techniques/T1671/
KQL Detection Query
let SuspiciousPermissions = dynamic(["Mail.Read", "Mail.ReadWrite", "Files.Read.All", "Files.ReadWrite.All", "User.Read.All", "Directory.Read.All", "Directory.ReadWrite.All", "RoleManagement.ReadWrite.Directory", "Application.ReadWrite.All", "full_access_as_app"]);
let LookbackPeriod = 30d;
AuditLogs
| where TimeGenerated > ago(LookbackPeriod)
| where OperationName in (
"Consent to application",
"Add application",
"Add service principal",
"Add OAuth2PermissionGrant",
"Add delegated permission grant",
"Update application",
"Add app role assignment to service principal",
"Add app role assignment grant to user"
)
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend InitiatedByIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAppName = tostring(TargetResources[0].displayName)
| extend TargetAppId = tostring(TargetResources[0].id)
| extend TargetAppType = tostring(TargetResources[0].type)
| extend ModifiedProperties = TargetResources[0].modifiedProperties
| mv-expand ModifiedProperties
| extend PropName = tostring(ModifiedProperties.displayName)
| extend PropNewValue = tostring(ModifiedProperties.newValue)
| where PropName in ("ConsentType", "Permissions", "DelegatedPermissionGrant.Scope", "AppRoles") or OperationName in ("Add application", "Add service principal")
| extend IsAdminConsent = iff(PropName == "ConsentType" and PropNewValue has "AllPrincipals", true, false)
| extend HasSuspiciousPermission = iff(PropNewValue has_any (SuspiciousPermissions), true, false)
| where IsAdminConsent == true or HasSuspiciousPermission == true or OperationName in ("Add application", "Add service principal")
| summarize
EventCount = count(),
Operations = make_set(OperationName),
GrantedPermissions = make_set(PropNewValue),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by InitiatedByUser, InitiatedByApp, InitiatedByIPAddress, TargetAppName, TargetAppId, IsAdminConsent, HasSuspiciousPermission
| extend RiskScore = case(
IsAdminConsent == true and HasSuspiciousPermission == true, "Critical",
IsAdminConsent == true, "High",
HasSuspiciousPermission == true, "High",
"Medium"
)
| project FirstSeen, LastSeen, InitiatedByUser, InitiatedByIPAddress, TargetAppName, TargetAppId, Operations, GrantedPermissions, IsAdminConsent, HasSuspiciousPermission, RiskScore, EventCount
| order by FirstSeen descDetects suspicious OAuth application consent grants and registrations in Azure AD/Entra ID by monitoring AuditLogs for admin consent events, new application registrations, service principal creation, and permission grants involving high-privilege scopes such as Mail.Read, Directory.ReadWrite.All, and Application.ReadWrite.All. Results are scored by risk based on consent type and permissions granted.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT administrators deploying enterprise applications that require admin consent for business-critical permissions
- Productivity application onboarding during organizational rollouts (e.g., deploying a new CRM, ITSM, or HR integration)
- Third-party security vendors requiring Mail.Read or Directory.Read.All for legitimate CASB, DLP, or threat protection services
- Developers registering applications in development tenants or sandbox environments for testing purposes
- Microsoft-published first-party applications being re-consented after permission scope changes in product updates
Other platforms for T1671
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register Malicious OAuth Application in Azure AD
Expected signal: AuditLogs entries: OperationName='Add application' and OperationName='Add service principal' with the new App ID in TargetResources. OperationName='Add delegated permission grant' showing Graph API permission additions.
- Test 2Grant Admin Consent to Existing Application via PowerShell
Expected signal: AuditLogs: OperationName='Add OAuth2PermissionGrant' with ConsentType='AllPrincipals' and Scope containing 'Mail.Read'. InitiatedBy will show the Global Administrator account. ResultType should be 'Success'.
- Test 3Add Client Secret to Existing Service Principal for Persistent API Access
Expected signal: AuditLogs: OperationName='Add password to service principal' with the target App ID in TargetResources and the credential display name 'AtomicTest-PersistentSecret'. AADSignInLogs: Service principal sign-in using client_credentials grant type showing the App ID authenticating to Microsoft Graph.
References (9)
- https://attack.mitre.org/techniques/T1671/
- https://pushsecurity.com/blog/saas-persistence-techniques/
- https://saasattacks.com/evil-twin-integrations
- https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-2024
- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
- https://www.huntress.com/blog/microsoft-365-oauth-phishing
- https://pushsecurity.com/blog/slack-persistence/
- https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals
- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
Unlock Pro Content
Get the full detection package for T1671 including response playbook, investigation guide, and atomic red team tests.