15.6 Tenant-Wide Consent Audit

3-5 hours · Module 15

The immediate incident is contained. Now determine whether other malicious applications exist in the tenant. Most organisations have never audited their OAuth consent grants — the accumulation of years of user-consented applications, many of which are over-permissioned, abandoned, or from unverified publishers.

Step 1: Inventory all consented applications with high-risk permissions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
// All OAuth consent grants in the last 365 days with high-risk permissions
AuditLogs
| where TimeGenerated > ago(365d)
| where OperationName == "Consent to application"
| where Result == "success"
| extend AppName = tostring(TargetResources[0].displayName)
| extend AppId = tostring(TargetResources[0].id)
| extend ConsentUser = tostring(InitiatedBy.user.userPrincipalName)
| extend Permissions = tostring(TargetResources[0].modifiedProperties)
| where Permissions has_any ("Mail.ReadWrite", "Mail.Send", "Files.ReadWrite.All",
    "Directory.ReadWrite.All", "MailboxSettings.ReadWrite", "User.ReadWrite.All")
| summarize
    ConsentCount = count(),
    Users = make_set(ConsentUser, 20),
    FirstConsent = min(TimeGenerated),
    LastConsent = max(TimeGenerated)
    by AppName, AppId
| order by ConsentCount desc

What to examine: Applications with high-risk permissions consented by multiple users — especially applications you do not recognise. For each: verify the publisher, check the registration date, confirm the application is needed for business operations, and assess whether the permissions are appropriate.

Step 2: Identify unverified publishers

In Entra ID → Enterprise Applications, filter by “Publisher verified: No.” Every application from an unverified publisher should be reviewed. Unverified does not automatically mean malicious — many legitimate third-party applications have unverified publishers. But unverified + high-risk permissions + multiple user consents = investigate.

Step 3: Check for dormant applications

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
// Applications consented but not used in 90 days
let ActiveApps = AADServicePrincipalSignInLogs
| where TimeGenerated > ago(90d)
| where ResultType == "0"
| distinct AppId;
AuditLogs
| where OperationName == "Consent to application"
| extend AppId = tostring(TargetResources[0].id)
| extend AppName = tostring(TargetResources[0].displayName)
| distinct AppId, AppName
| join kind=leftanti ActiveApps on AppId
| project AppName, AppId, Status = "Consented but no activity in 90 days"

Dormant applications with high-risk permissions are abandoned attack surface. If the application is no longer needed: revoke the consent. If it is needed but inactive: verify with the business owner.

Subsection artifact: The three tenant-wide audit queries. Run these quarterly to maintain OAuth hygiene.

Knowledge check

Automating the quarterly audit

Running the audit queries manually each quarter is error-prone and easy to forget. Automate it.

Option 1: Sentinel workbook. Create a workbook with three tiles: (1) high-risk consents (scored), (2) unverified publishers, (3) dormant applications. Schedule a monthly review reminder. The workbook pulls live data — each time you open it, you see the current state.

Option 2: Scheduled analytics rule. Create a low-severity scheduled rule that runs weekly: “Alert if any new application consent occurred with Mail.ReadWrite or higher permissions.” This catches new high-risk consents between quarterly audits — providing continuous monitoring alongside the periodic review.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// Weekly automated check: new high-risk consents since last review
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Consent to application"
| where Result == "success"
| extend Permissions = tostring(TargetResources[0].modifiedProperties)
| where Permissions has_any ("Mail.ReadWrite", "Mail.Send",
    "Files.ReadWrite.All", "Directory.ReadWrite.All")
| extend AppName = tostring(TargetResources[0].displayName)
| extend ConsentUser = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, ConsentUser, AppName, Permissions

Deploy this as a scheduled rule (weekly, low severity). It surfaces new high-risk consents for manual review — bridging the gap between quarterly audits.

Option 3: Defender for Cloud Apps app governance. If available in your licensing, app governance provides automated monitoring with alerting on anomalous application behaviour. This is the most comprehensive option but requires Defender for Cloud Apps configuration (subsection 15.7 Recommendation 3).

Try it yourself

Run all three audit queries (high-risk permissions, unverified publishers, dormant applications) against your tenant. How many consented applications do you find? How many are from unverified publishers? How many are dormant? Create a simple tracking document: application name, publisher, permissions, consent count, last activity date, and your assessment (legitimate / investigate / remove). This is your first quarterly consent audit — the baseline for future reviews.

What you should observe

Most tenants have 20-50 consented applications. 30-50% are typically from unverified publishers (many legitimate tools are unverified). 10-20% may be dormant. The audit identifies: applications to remove (dormant + unverified + high-risk), applications to investigate (unverified + high-risk + active), and applications to document as legitimate (verified + appropriate permissions).

Check your understanding

1. The audit reveals 47 consented applications with Mail.Read or higher permissions. 12 are from unverified publishers. What do you do?

Review each of the 12 unverified-publisher applications individually: what does the application do, who consented, when, and are the permissions appropriate for the stated function? Remove applications that are: not recognised by any business user, dormant (no activity in 90 days), or requesting permissions beyond what their function requires. For the 35 verified-publisher applications: confirm they are still needed and the permissions are appropriate. This is the quarterly OAuth hygiene process.

Remove all 47 applications

Unverified publishers are always malicious

Only review applications consented this month

Review each unverified-publisher app individually. Remove dormant and unrecognised apps. Verify the rest. This is the quarterly OAuth hygiene process.

← 15.5 Revocation and Cleanup 15.7 Preventive Controls →