Microsoft Entra ID

How to Audit Application Consent Grants in Microsoft Entra ID

Are you keeping track of which apps have access to your Microsoft 365 data? Without proper oversight of Azure AD app consent grant activities, there’s a risk of privilege escalation and potential data breaches. Regularly auditing consent to Entra apps can help detect implicit security threats and prevent sensitive data exposure. Therefore, this guide will walk you through how to track app consent activities in Microsoft Entra ID.

Generate Detailed Report on Consent Grant Given to Apps Using PS Script

Microsoft 365 Permission Required

View-Only Audit Logs role Least Privilege

Global Admin Most Privilege

The PowerShell cmdlet Search-UnifiedAuditLog from the Exchange Online module can audit consent to application activities in Microsoft 365. However, the raw output often lacks clarity and user-friendliness.
To bridge this gap, we’ve developed a PowerShell script that not only audits app consent operations but also generates detailed and easy-to-read reports with valuable insights.
In addition to consent-related activities, the script supports filtering other operations such as credential changes, app delegation modifications, and more.
To generate a report on consent to application activity, run the script with the Operations parameter with the value "Consent to Applications" as shown below.
```
./AuditEntraAppOperations -Operations "Consent to Application"
```

Generate Detailed Report on Consent Grant Given to Apps Using PS Script

AuditEntraAppOperations.ps1

Simple & Quick
Uncover Entra ID Illicit Consent Grant Attempts Using AdminDroid

AdminDroid Permission Required Delegated

Any user with the report access delegated by the Super Admin.

Log in to the AdminDroid Microsoft 365 reporter.
Navigate to the Consent to Applications report under Audit»Azure AD»Application Audit.
This report provides detailed insights into applications and service principals that have been admin consented in Microsoft 365.
It includes information such as the target application name, admin who granted the consent, result status of the operation, user who initiated the operation, and more.

Uncover Entra ID Illicit Consent Grant Attempts Using AdminDroid

AdminDroid Entra Application Auditing Tool

Experience Unmatched Visibility into Microsoft Entra Application Activity!

AdminDroid’s Microsoft 365 application auditing tool provides deep insights on third-party and custom app registrations at no cost. This helps you monitor all application operations and service principal changes across your tenant through one centralized tool.

Spot Unnecessary App Registrations in Microsoft Entra

Track all newly created applications in your Microsoft 365 tenant to verify any app created without proper review.

Discover OAuth2 Consent Grants Across Entra Apps

Audit OAuth2 consents granted to applications to verify that granted permission scopes align with users’ intended purpose and usage.

Monitor App Role Assignments in Entra ID

Check app role assignments to find out if consent activities have accidentally granted elevated permissions for users or service principals.

Identify App Configuration Changes in Azure AD

Use the updated applications report to track changes in Azure AD app registrations such as permissions, redirect URIs, and more to quickly spot any misconfigurations.

Trace Credential Changes on Consented Apps

Review app credential changes report on admin-consented app registrations to detect unauthorized access and potential misuse in Entra ID.

Uncover Shifts in Entra App Delegated Permissions

Analyze the delegated permission changes on apps to identify any unexpected increases in access permission that could indicate critical security risks.

Overall, AdminDroid's Azure AD management tool redefines application visibility by providing deep insights into app permissions and access activities. This allows administrators to swiftly detect unauthorized access, track permission changes, and maintain strict control over application security.

Explore a full range of reporting options

Download Live Demo

Important Tips

Remove unused Entra ID apps granted with admin consent to minimize the risk of data leaks and avoid misuse of permissions.

Minimize manual intervention in app credential updates by using Entra app management policies to automate the lifecycle management of app credentials.

Create access reviews for apps to periodically verify user access permissions and ensure only necessary ones are retained for optimal security.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while managing Entra ID application consent grant activities.

Error Connect-MgGraph : InteractiveBrowserCredential authentication failed: AADSTS650053: The application 'Microsoft Graph Command Line Tools' asked for scope '' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'.

This error occurs due to the specified scopes in the 'Connect-MgGraph' cmdlet are incorrect or contain spelling mistakes.

Fix To resolve this error, verify the scopes entered are valid and ensure there are no typos.

Error New-MgPolicyPermissionGrantPolicy: PermissionGrantPolicy's Id has invalid characters. Only alphanumeric, '-', and '_' characters allowed. No whitespaces are allowed.

This error occurs because the -Id parameter’s value in the New-MgPolicyPermissionGrantPolicy cmdlet contains invalid characters or spaces.

Fix To resolve this error, ensure the -Id parameter’s value should include only letters, numbers, hyphens (-), and underscores (_).

New-MgPolicyPermissionGrantPolicy -Id "My-Custom-Policy" -DisplayName "My Custom Policy" -Description "This policy was created to show an example of how to frame policy id."

Error New-MgPolicyPermissionGrantPolicyExclude: Condition set f569a0fa-ae34-4cdb-9137-6dac7c224bed in the policy contains exact same set of conditions.

This error occurs when you try to add the same 'exclude' condition set to the app consent policy more than once.

Fix To resolve this error, ensure that existing 'exclude' condition sets are not added multiple times to the app consent policy.

Error New-MgPolicyPermissionGrantPolicyInclude: Condition set f569a0fa-ae34-4cdb-9137-6dac7c224bed in the policy contains exact same set of conditions.

This error occurs when you attempt to add an identical 'include' condition set to the app consent policy that already exists.

Fix To resolve this error, avoid adding same ‘include’ condition set more than once in the app consent policy.

Azure AD

Frequently Asked Questions

Enhance Entra App Consent Grant Controls to Defend Against Illicit Attacks

How to investigate app consent grant activities for illicit consent attack?

How to create admin consent workflow for apps in Microsoft Entra ID?

How to configure user consent settings in Microsoft 365?

How to manage app consent policies in Microsoft Entra ID?

1. How to investigate app consent grant activities for illicit consent attack?

In an illicit consent grant attack, threat actors register a malicious application to request access to sensitive organizational data. Mostly they trick users through phishing attempts or compromised websites to grant consent to that malicious app. This allows that app to access the organization's data without needing further authentication.

Investigate app consent grants to spot unverified access

As password resets and MFA can’t prevent this type of attack, it’s important to review app consent grants to detect and stop unauthorized access.

Analyze for indicators of compromise (IOC): Leverage the consent grant audit report to find all applications with admin consent grant. If you find multiple instances of the same application, it may indicate potential unauthorized consent grants.
Review permissions granted to apps: Now, examine the impacted apps and its users, along with their permissions. To do that, use the following cmdlets to get all user and admin consent grant for the application.

Connect-MgGraph –Scopes "Application.Read.All", "DelegatedPermissionGrant.Read.All" 
Get-MgServicePrincipal -Filter "DisplayName eq '<AppDisplayName>'" | ForEach-Object 
{ Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $_.Id } | Format-Table -Wrap -AutoSize

Note: Before executing the cmdlet above, replace <AppDisplayName> with the display name of the application for which you want to check consent grants.

Here, check the ConsentType to determine whether the permissions are admin consented, or user consented. The consent type ‘AllPrincipals’ indicates admin consent, while ‘Principal’ indicates user consent.

Handy Tip: After finding app consented with any high-privileged or unnecessary permissions, use the same consent grant audit report to see when the app had access. This will help you assess the full extent of the attack.

Revoke app permissions in Microsoft Entra to prevent unauthorized access

If you confirmed the attack, you could follow the steps below to remediate illicit consent grant attacks.

In the Microsoft Entra portal, navigate to Identity»Users»All users»Select the user»Applications»Choose the illicit application»Remove.
To revoke OAuth consent grant for user, you can use the PowerShell cmdlet below. Replace ID with the OAuth2 permission grant ID of the app obtained from the app consent investigation.
```
Connect-MgGraph –Scopes "DelegatedPermissionGrant.ReadWrite.All" 
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId <ID>
```

Further Consideration: Block sign-in for the affected user account to restrict app access, and disable user consent to mandate the admin approval for granting app access.

3. How to configure user consent settings in Microsoft 365?

Controlling when and how users grant app permissions is key to reducing unnecessary access and securing organizational data. By default, users can approve applications that request for selected permission not requiring admin approval. While this may seem harmless, attackers often exploit it using deceptive apps to gain access.

To mitigate this risk, you can follow the steps below to manage user app consent settings in Entra ID.

Configure how user consent to applications in Microsoft Entra admin center

In the Microsoft Entra admin center, navigate to Identity»Applications»Enterprise applications»Security»Consent and permissions.
Under User consent settings, choose one of the following options that best aligns with your organization's security policies and click Save to apply the changes.

Do not allow user consent – Users are prevented from consenting to any app and only admins can approve access.
Allow user consent for apps from verified publishers, for selected permissions (Recommended) – Users are allowed to consent to "low impact" permissions for apps from verified publishers or apps registered in the organization.
Allow user consent for all apps – Grants users the ability to consent to any app requesting permissions.

Note: If you chose the consent for apps from verified publishers policy, define the desired low-impact permissions for your organization by using either the Select permissions to classify as low impact option or the Permission classifications section.

Configure user consent settings for Entra apps using PowerShell

You can also use PowerShell to set app consent policies that define how users can grant access to applications. To do so, first connect to Microsoft Graph with required permissions using the cmdlet below.

Connect-MgGraph –Scopes "Policy.ReadWrite.Authorization"

Run the following cmdlet to enable user consent subject to the built-in policy ‘microsoft-user-default-low’ (Allow user consent for apps from verified publishers, for selected permissions).

$body = @{ 
defaultUserRolePermissions = @{ 
permissionGrantPoliciesAssigned = @( 
"managePermissionGrantsForSelf.microsoft-user-default-low") 
}} 
Update-MgPolicyAuthorizationPolicy -BodyParameter $body

You can also set other two policies such as microsoft-user-default-recommended (Do not allow user consent) and microsoft-user-default-legacy (Allow user consent for all apps) using these policy ids.

Important: Even if you disable user consent to apps, users can still consent to apps accessing the groups they own.

4. How to manage app consent policies in Microsoft Entra ID?

Microsoft Entra ID app consent policies give you control over your organization's data access by establishing clear guidelines for application approval. These policies operate through a straightforward but powerful system of 'include' and 'exclude' condition sets, where applications must match at least one include condition while avoiding all exclude conditions to receive approval.

To manage app consent policies for applications, you need to connect with Microsoft Graph PowerShell with following cmdlet.

Connect-MgGraph –Scopes "Policy.ReadWrite.PermissionGrant"

View existing app consent policies using PowerShell

To get of list of all existing app consent policies in your Microsoft 365 tenant, use the cmdlet below.
```
Get-MgPolicyPermissionGrantPolicy | Format-Table Id, DisplayName, Description
```
Note: Built-in policies, identified by IDs starting with ‘microsoft-’, are read-only but can be referenced in custom directory roles and user consent settings.
Run the cmdlet below with an app policy’s ID to view the ‘include’ condition specifically set to it.
```
Get-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "<Policy-Id>" | Format-List
```

Use the following to display the ‘exclude’ condition sets of a specific policy.

Get-MgPolicyPermissionGrantPolicyExclude -PermissionGrantPolicyId "<Policy-Id>" | Format-List

Create custom app consent policy in Microsoft 365

To create a new app consent policy, run the New-MgPolicyPermissionGrantPolicy cmdlet like below.

New-MgPolicyPermissionGrantPolicy -Id "<Policy-Id>" -DisplayName "<PolicyDisplayName>" -Description "<PolicyDescription>"

After creating the policy, you should add ‘include’ condition sets to specify which permissions are allowed. To add ‘include’ condition sets, use the New-MgPolicyPermissionGrantPolicyInclude cmdlet.

New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "<Policy-Id>" -PermissionType "<delegated/application>" -PermissionClassification "<low/medium/high>" -ClientApplicationsFromVerifiedPublisherOnly

If you want to add some ‘exclude’ condition sets to the policy, use the New-MgPolicyPermissionGrantPolicyExclude cmdlet.

New-MgPolicyPermissionGrantPolicyExclude -PermissionGrantPolicyId "<Policy-Id>" -PermissionType "<delegated/application>" -ResourceApplication "<ResourceAppId>"

To remove a custom app consent policy, use the Remove-MgPolicyPermissionGrantPolicy cmdlet like below.

Remove-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId "<Policy-Id>"

Note: Replace the placeholders in the cmdlets with your actual values, such as policy IDs, display names, and more before execution.