THREAT-M365-SuspiciousOAuthConsent Suspicious OAuth Application Consent Grant in Microsoft 365 Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// THREAT: Suspicious OAuth Application Consent Grant
// Detects illicit OAuth consent grants in Microsoft 365 / Entra ID
// Primary telemetry: Azure AD Audit Logs, O365 audit logs

// Alert 1: High-privilege OAuth application consent grants
let SensitivePermissions = dynamic([
  "Mail.Read", "Mail.ReadWrite", "Mail.Send",
  "Mail.ReadBasic.All", "MailboxSettings.ReadWrite",
  "Files.Read.All", "Files.ReadWrite.All",
  "Contacts.Read", "Contacts.ReadWrite",
  "User.Read.All", "User.ReadWrite.All",
  "Group.Read.All", "Directory.Read.All",
  "offline_access", "Calendars.ReadWrite",
  "Sites.Read.All", "Sites.ReadWrite.All"
]);
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any ("Consent to application", "Add app role assignment to service principal",
    "Add delegated permission grant", "Add OAuth2PermissionGrant")
| where Result =~ "success"
| extend AppName = tostring(TargetResources[0].displayName)
| extend GrantedPermissions = tostring(AdditionalDetails)
| extend ConsentorIP = tostring(InitiatedBy.user.ipAddress)
| extend ConsentorUPN = tostring(InitiatedBy.user.userPrincipalName)
| where GrantedPermissions has_any (SensitivePermissions)
    or OperationName has "admin consent"
| project TimeGenerated, OperationName, AppName, ConsentorUPN,
    ConsentorIP, GrantedPermissions, TargetResources
| extend ThreatType = "OAuthConsent_SensitivePermissions";
// Alert 2: First-time application consent (new app never seen before in tenant)
let KnownApps = AuditLogs
| where TimeGenerated between (ago(90d) .. ago(1d))
| where OperationName has "Consent to application"
| extend AppId = tostring(TargetResources[0].id)
| distinct AppId;
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has "Consent to application"
| extend AppId = tostring(TargetResources[0].id)
| extend AppName = tostring(TargetResources[0].displayName)
| where AppId !in~ (KnownApps)
| project TimeGenerated, AppName, AppId, InitiatedBy, TargetResources
| extend ThreatType = "OAuthConsent_NewUnseenApplication"

high severity high confidence

Data Sources

Azure AD Audit Logs (AuditLogs) Office 365 Unified Audit Log (OfficeActivity) Microsoft 365 Defender

Required Tables

AuditLogs OfficeActivity

False Positives

IT administrators deploying approved third-party Microsoft 365 integrations (Slack, Zoom, Adobe, DocuSign) and granting required permissions
Users adding approved productivity apps from Microsoft AppSource that request standard permissions
Microsoft-published applications (Power Automate, Power BI) requesting permissions during initial setup
Internal developers registering apps for legitimate automation workflows

Splunk

spl

index=azure sourcetype="azure:aad:audit"
OperationName IN ("Consent to application", "Add delegated permission grant",
                  "Add OAuth2PermissionGrant", "Add app role assignment to service principal")
Result="success"
| spath input=TargetResources path="{0}.displayName" output=AppName
| spath input=AdditionalDetails path="{}.value" output=PermissionDetails
| spath input=InitiatedBy path="user.userPrincipalName" output=ConsentorUPN
| spath input=InitiatedBy path="user.ipAddress" output=ConsentorIP
| eval sensitive_perms=if(
    match(PermissionDetails, "(?i)(Mail\.Read|Mail\.ReadWrite|Mail\.Send|Files\.Read|Files\.ReadWrite|offline_access|Directory\.Read|User\.Read\.All|Contacts\.Read|Sites\.Read)"),
    "YES", "NO"
  )
| where sensitive_perms="YES" OR OperationName="Add app role assignment to service principal"
| stats count AS ConsentEvents,
        values(AppName) AS AppsConsented,
        values(PermissionDetails) AS Permissions,
        values(ConsentorUPN) AS ConsentingUsers
  BY ConsentorIP, _time span=24h
| eval ThreatType="SuspiciousOAuth_ConsentGrant"
| eval ThreatActors="Midnight Blizzard, Storm-0558, Fancy Bear"
| sort - ConsentEvents

high severity high confidence

Data Sources

Azure AD Audit Logs via Splunk Add-on for Microsoft Cloud Services

Required Sourcetypes

azure:aad:audit

False Positives

IT admin deploying approved SaaS integrations
Microsoft 365 app setup wizard granting permissions for productivity tools

Elastic Security (EQL)

eql

any where event.dataset == "azure.auditlogs"
  and event.action in~ (
    "Consent to application",
    "Add delegated permission grant",
    "Add OAuth2PermissionGrant",
    "Add app role assignment to service principal"
  )
  and event.outcome == "success"
  and (
    azure.auditlogs.properties.additional_details : (
      "*Mail.Read*", "*Mail.ReadWrite*", "*Mail.Send*",
      "*Files.Read.All*", "*Files.ReadWrite.All*",
      "*offline_access*", "*Directory.Read.All*",
      "*User.Read.All*", "*User.ReadWrite.All*",
      "*Contacts.Read*", "*Contacts.ReadWrite*",
      "*Sites.Read.All*", "*Sites.ReadWrite.All*",
      "*MailboxSettings.ReadWrite*", "*Calendars.ReadWrite*",
      "*Group.Read.All*", "*Mail.ReadBasic.All*"
    )
    or event.action in~ ("Add app role assignment to service principal")
    or azure.auditlogs.properties.additional_details : "*admin consent*"
  )

high severity high confidence

Data Sources

Azure Active Directory Audit Logs via Elastic Azure integration Microsoft Entra ID Audit Logs Azure Monitor Diagnostic Logs forwarded to Elastic

Required Tables

azure.auditlogs

False Positives

Legitimate IT-sanctioned enterprise application deployments where administrators intentionally grant broad OAuth permissions to approved productivity or security tools such as Salesforce, Workday, or ServiceNow M365 connectors
Microsoft first-party or rebranded applications appearing as new consents during tenant migrations, license tier upgrades, or Microsoft Entra policy changes that require re-consent
Automated provisioning workflows including Azure DevOps service principals and Power Automate connectors legitimately requesting delegated or application permissions as part of CI/CD pipeline setup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(startTime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  username AS ConsentorUPN,
  sourceip AS ConsentorIP,
  QIDNAME(qid) AS OperationName,
  "deviceCustomString1" AS AppName,
  "deviceCustomString3" AS PermissionsGranted,
  CATEGORYNAME(category) AS CategoryName,
  magnitude
FROM events
WHERE LOGSOURCETYPEID(devicetype) = 413
  AND (
    LOWER(QIDNAME(qid)) = 'consent to application'
    OR LOWER(QIDNAME(qid)) = 'add delegated permission grant'
    OR LOWER(QIDNAME(qid)) = 'add oauth2permissiongrant'
    OR LOWER(QIDNAME(qid)) = 'add app role assignment to service principal'
  )
  AND (
    "deviceCustomString3" ILIKE '%Mail.Read%'
    OR "deviceCustomString3" ILIKE '%Mail.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Mail.Send%'
    OR "deviceCustomString3" ILIKE '%Mail.ReadBasic.All%'
    OR "deviceCustomString3" ILIKE '%Files.Read.All%'
    OR "deviceCustomString3" ILIKE '%Files.ReadWrite.All%'
    OR "deviceCustomString3" ILIKE '%offline_access%'
    OR "deviceCustomString3" ILIKE '%Directory.Read.All%'
    OR "deviceCustomString3" ILIKE '%User.Read.All%'
    OR "deviceCustomString3" ILIKE '%User.ReadWrite.All%'
    OR "deviceCustomString3" ILIKE '%Contacts.Read%'
    OR "deviceCustomString3" ILIKE '%Contacts.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Sites.Read.All%'
    OR "deviceCustomString3" ILIKE '%Sites.ReadWrite.All%'
    OR "deviceCustomString3" ILIKE '%MailboxSettings.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Calendars.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Group.Read.All%'
    OR LOWER(QIDNAME(qid)) = 'add app role assignment to service principal'
  )
ORDER BY startTime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Azure Active Directory DSM (LOGSOURCETYPEID 413) Azure Monitor Logs forwarded to QRadar via Syslog or Azure Event Hub Microsoft Office 365 DSM for unified audit log events

Required Tables

events

False Positives

Enterprise application deployments by IT where administrators intentionally grant broad OAuth permissions to approved productivity or security tools during onboarding or integration setup
Automated provisioning via Azure DevOps or infrastructure-as-code pipelines creating service principals with application-level permissions to Exchange Online or SharePoint
Periodic re-consent workflows triggered by Microsoft after permission scope changes, Conditional Access policy updates, or tenant-wide admin consent policy enforcement changes

Sumo Logic CSE

sql

_sourceCategory=azure/aad/audit OR _sourceCategory=azure/active_directory/audit
| json field=_raw "operationName" as OperationName nodrop
| json field=_raw "result" as Result nodrop
| where OperationName in (
    "Consent to application",
    "Add delegated permission grant",
    "Add OAuth2PermissionGrant",
    "Add app role assignment to service principal"
  )
| where Result = "success"
| json field=_raw "targetResources[0].displayName" as AppName nodrop
| json field=_raw "targetResources[0].id" as AppId nodrop
| json field=_raw "initiatedBy.user.userPrincipalName" as ConsentorUPN nodrop
| json field=_raw "initiatedBy.user.ipAddress" as ConsentorIP nodrop
| json field=_raw "additionalDetails" as AdditionalDetails nodrop
| where matches(AdditionalDetails, "(?i)(Mail\.Read|Mail\.ReadWrite|Mail\.Send|Mail\.ReadBasic\.All|Files\.Read\.All|Files\.ReadWrite\.All|offline_access|Directory\.Read\.All|User\.Read\.All|User\.ReadWrite\.All|Contacts\.Read|Contacts\.ReadWrite|Sites\.Read\.All|Sites\.ReadWrite\.All|MailboxSettings\.ReadWrite|Calendars\.ReadWrite|Group\.Read\.All)")
  OR OperationName = "Add app role assignment to service principal"
| count as ConsentEvents by ConsentorIP, AppName, AppId, ConsentorUPN, OperationName
| sort by ConsentEvents desc
| fields ConsentorIP, AppName, AppId, ConsentorUPN, OperationName, ConsentEvents

high severity high confidence

Data Sources

Azure Active Directory Audit Logs via Sumo Logic Azure source collector Microsoft 365 Unified Audit Logs forwarded to Sumo Logic Sumo Logic Cloud SIEM Enterprise (CSE) with Azure AD normalized records

Required Tables

azure/aad/audit azure/active_directory/audit

False Positives

Legitimate deployment of approved enterprise OAuth applications by IT administrators that require broad permissions for business functionality such as backup, DLP, or archiving solutions
ISV software integrations connecting to Microsoft 365 during product trials or onboarding where the vendor's app requests standard delegated scopes
Microsoft-published applications being consented for the first time after new tenant policies, license changes, or Copilot feature roll-outs that require explicit admin consent

Google Chronicle / SecOps

yaral

rule suspicious_oauth_consent_grant_m365 {
  meta:
    author = "Detection Engineering"
    description = "Detects illicit OAuth consent grants with sensitive API permissions in Microsoft 365 / Entra ID — covers Storm-0558 and Midnight Blizzard consent phishing"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1098.003"
    false_positives = "Legitimate IT-sanctioned app deployments, ISV onboarding, Microsoft first-party app consent"
    reference = "https://www.microsoft.com/security/blog/2023/09/07/microsoft-mitigates-china-based-threat-actor-storm-0558"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = "Azure Active Directory"
    $e.metadata.product_event_type in nocase (
      "Consent to application",
      "Add delegated permission grant",
      "Add OAuth2PermissionGrant",
      "Add app role assignment to service principal"
    )
    $e.security_result.action = "ALLOW"
    (
      re.regex(
        $e.target.resource.attribute.labels["permissions"],
        `(?i)(Mail\.Read|Mail\.ReadWrite|Mail\.Send|Mail\.ReadBasic\.All|Files\.Read\.All|Files\.ReadWrite\.All|offline_access|Directory\.Read\.All|User\.Read\.All|User\.ReadWrite\.All|Contacts\.Read|Contacts\.ReadWrite|Sites\.Read\.All|Sites\.ReadWrite\.All|MailboxSettings\.ReadWrite|Calendars\.ReadWrite|Group\.Read\.All)`
      ) or
      re.regex($e.metadata.product_event_type, `(?i)admin\s+consent`) or
      $e.metadata.product_event_type = "Add app role assignment to service principal"
    )
    $user = $e.principal.user.email_addresses[0]
    $app = $e.target.application
    $src_ip = $e.principal.ip

  condition:
    $e
}

high severity high confidence

Data Sources

Azure Active Directory Audit Logs ingested into Chronicle via Google Cloud Log Ingestion Microsoft 365 Unified Audit Log via Chronicle M365 ingestion Entra ID sign-in and audit events via Chronicle Azure AD parser

Required Tables

azure_ad

False Positives

Legitimate enterprise application deployments where IT administrators intentionally consent to broad permissions for approved internal or third-party SaaS tools including CASB, archiving, and eDiscovery platforms
Automated CI/CD pipeline service principal grants for DevOps tooling accessing SharePoint Online or Exchange Online as part of infrastructure automation
Microsoft-published first-party applications such as Teams, Viva, or Microsoft 365 Copilot receiving admin consent during new feature activation or license expansion events

CrowdStrike LogScale (CQL)

cql

#type=azure_ad_audit_log
| OperationName in values=[
    "Consent to application",
    "Add delegated permission grant",
    "Add OAuth2PermissionGrant",
    "Add app role assignment to service principal"
  ]
| Result="success"
| test(
    regex("(?i)(Mail\\.Read|Mail\\.ReadWrite|Mail\\.Send|Mail\\.ReadBasic\\.All|Files\\.Read\\.All|Files\\.ReadWrite\\.All|offline_access|Directory\\.Read\\.All|User\\.Read\\.All|User\\.ReadWrite\\.All|Contacts\\.Read|Contacts\\.ReadWrite|Sites\\.Read\\.All|Sites\\.ReadWrite\\.All|MailboxSettings\\.ReadWrite|Calendars\\.ReadWrite|Group\\.Read\\.All)",
    field=AdditionalDetails)
  OR OperationName="Add app role assignment to service principal"
)
| groupBy(
    [ConsentorIP, AppName, ConsentorUPN],
    function=[
      count(as=ConsentEvents),
      collect([OperationName, AdditionalDetails, AppId], limit=20)
    ]
  )
| sort(ConsentEvents, order=desc)
| ConsentEvents > 0
| ThreatType := "SuspiciousOAuth_ConsentGrant"
| ThreatActors := "Storm-0558, Midnight Blizzard"

high severity medium confidence

Data Sources

Azure Active Directory Audit Logs forwarded to CrowdStrike Falcon LogScale via Azure Event Hub Microsoft 365 Unified Audit Logs ingested into Falcon LogScale CrowdStrike Falcon Identity Protection Azure AD telemetry

Required Tables

azure_ad_audit_log

False Positives

IT-sanctioned enterprise application onboarding where administrators intentionally consent to broad OAuth permission scopes for business-critical integrations such as backup, compliance, or CASB solutions
OAuth re-consent flows triggered by Microsoft tenant policy updates, Conditional Access enforcement changes, or permission scope modifications to existing trusted applications
Development and test environments where developers register OAuth applications and grant broad scopes during integration testing or pre-production validation cycles

Suspicious OAuth Application Consent Grant in Microsoft 365

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Credential Access

Popular Detections