CG
SkillsDetecting Suspicious OAuth Application Consent
Start Free
Back to Skills Library
Cloud Security🟡 Intermediate

Detecting Suspicious OAuth Application Consent

Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit logs, and permission analysis to identify illicit consent grant attacks.

3 min read

Prerequisites

  • Azure AD / Entra ID tenant with Global Reader or Security Reader role
  • Microsoft Graph API access with `Application.Read.All`, `AuditLog.Read.All`, `Directory.Read.All`
  • Python 3.9+ with `msal`, `requests`
  • App registration with client secret or certificate for authentication

Detecting Suspicious OAuth Application Consent

Overview

Illicit consent grant attacks trick users into granting excessive permissions to malicious OAuth applications in Azure AD / Microsoft Entra ID. This skill uses the Microsoft Graph API to enumerate OAuth2 permission grants, analyze application permissions for overly broad scopes, review directory audit logs for consent events, and flag high-risk applications based on publisher verification status and permission scope.

Prerequisites

  • Azure AD / Entra ID tenant with Global Reader or Security Reader role
  • Microsoft Graph API access with Application.Read.All, AuditLog.Read.All, Directory.Read.All
  • Python 3.9+ with msal, requests
  • App registration with client secret or certificate for authentication

Steps

  1. Authenticate to Microsoft Graph using MSAL client credentials flow
  2. Enumerate all OAuth2 permission grants via /oauth2PermissionGrants
  3. List service principals and their assigned application permissions
  4. Query directory audit logs for Consent to application events
  5. Flag applications with high-risk scopes (Mail.Read, Files.ReadWrite.All, etc.)
  6. Check publisher verification status for each application
  7. Generate risk report with remediation recommendations

Expected Output

  • JSON report listing all OAuth apps with granted permissions, risk scores, unverified publishers, and suspicious consent patterns
  • Audit trail of consent grant events with user and IP details

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC6.1 (Logical Access), CC6.6 (System Boundaries), CC7.1 (Monitoring)
  • ISO 27001: A.8.1 (Asset Management), A.13.1 (Network Security), A.14.1 (System Acquisition)
  • NIST 800-53: AC-3 (Access Enforcement), SC-7 (Boundary Protection), CM-7 (Least Functionality)
  • NIST CSF: PR.AC (Access Control), PR.DS (Data Security), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add detecting-suspicious-oauth-application-consent

# Or load dynamically via MCP
grc.load_skill("detecting-suspicious-oauth-application-consent")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add detecting-suspicious-oauth-application-consent
// Or via MCP
grc.load_skill("detecting-suspicious-oauth-application-consent")

Tags

OAuthAzure-ADEntra-IDMicrosoft-Graphillicit-consentcloud-securityapplication-permissions

Related Skills

Cloud Security

Analyzing Office365 Audit Logs for Compromise

3m·intermediate
Cloud Security

Auditing AWS S3 Bucket Permissions

6m·intermediate
Cloud Security

Auditing Azure Active Directory Configuration

6m·intermediate
Cloud Security

Auditing GCP IAM Permissions

6m·intermediate
Cloud Security

Auditing Kubernetes Cluster RBAC

7m·intermediate
Cloud Security

Auditing Terraform Infrastructure for Security

6m·intermediate

Skill Details

Domain
Cloud Security
Difficulty
intermediate
Read Time
3 min
Code Examples
0

On This Page

OverviewPrerequisitesStepsExpected OutputVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →