Listen to this Post
Following the principle of least privilege, it’s crucial to review permissions granted to admin-consented OAuth applications. Identifying applications with unused permissions helps reduce security risks. Below is a KQL query to audit overprivileged permissions:
OAuthAppInfo | mv-expand Permissions | where Permissions.InUse == false | where IsAdminConsented == 1 | where AppStatus == "Enabled" | summarize UnUsedPermission=count() by AppName, tostring(Permissions.TargetAppDisplayName), tostring(Permissions.PermissionValue)
You Should Know:
1. Auditing OAuth Apps with PowerShell
To check OAuth applications in Microsoft Entra ID (Azure AD), use:
Get-AzureADServicePrincipal | Where-Object { $_.Tags -contains "WindowsAzureActiveDirectoryIntegratedApp" } | Select-Object DisplayName, AppId
2. Revoking Unused Permissions
Revoke unnecessary permissions using:
Remove-AzureADServicePrincipalPermission -ObjectId <ServicePrincipalId> -OAuth2PermissionGrantId <PermissionGrantId>
3. Monitoring OAuth Activity via Logs
Enable Azure AD audit logs and analyze them with:
SigninLogs | where AppId == "<ApplicationId>" | project TimeGenerated, UserPrincipalName, IPAddress, ResultType
4. Checking OAuth Consent Grants
List all admin-consented permissions in Azure AD:
Get-AzureADOAuth2PermissionGrant | Where-Object { $_.ConsentType -eq "AllPrincipals" }
5. Automating Permission Reviews
Create a scheduled script to detect unused permissions:
!/bin/bash az login --service-principal -u <client_id> -p <client_secret> --tenant <tenant_id> az rest --method GET --uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" | jq '.value[] | select(.consentType == "AllPrincipals")'
6. Securing OAuth Apps in Linux
Use `curl` to verify OAuth token permissions:
curl -H "Authorization: Bearer <ACCESS_TOKEN>" https://graph.microsoft.com/v1.0/me
- Detecting Overprivileged Apps via Microsoft Graph API
curl -X GET -H "Authorization: Bearer <token>" "https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appRolesAssigned%20ne%20null"
8. Hardening OAuth Configurations
Disable legacy OAuth protocols if unused:
Set-AzureADPolicy -Id <PolicyId> -DisplayName "Block Legacy Auth" -Definition @('{"BlockLegacyAuthentication":true}')
What Undercode Say:
Managing OAuth permissions is critical in Zero Trust security. Overprivileged apps increase attack surfaces, leading to potential breaches. Regularly audit permissions using KQL, PowerShell, and Microsoft Graph API. Automate reviews and enforce least privilege access.
Additional Commands for Security Teams:
- Linux: `grep “oauth” /var/log/auth.log` (Check OAuth-related auth logs)
- Windows: `wevtutil qe Security /q:”[System[(EventID=4624)]]”` (Review authentication events)
- Azure CLI: `az ad app permission list –id
` (List app permissions)
Expected Output:
A structured report of unused OAuth permissions, admin-consented apps, and remediation steps.
Cybersecurity OAuth OverPrivileged
References:
Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
