Security review - OAuth permissions

OAuth is a protocol to delegate access and grant third party websites or applications access to users data and perform operations on their behalf. With OAuth, users don’t have to reveal their credentials to the third party service, as access is granted through the Identity Provider (IdP) (Azure AD in Azure case).

OAuth applications can be leveraged by threat actors:

• In illicit consent grant phishing attacks. A victim authorizes a malicious third-party OAuth application to access their account data. However Microsoft implemented security measures in November 2020 to limit this kind of attack. An administrator’s approval is now required for sensitive permission requests made by unverified application created outside the tenant.

• To maintain persistence in the tenant.

• As an automation tool, to automate operations such as virtual machines creation for cryptomining activity.

Microsoft Graph supports two access types, delegated permissions and application permissions. With delegated permissions, the application calls Microsoft Graph on behalf of a signed-in user. With application permissions, the application calls Microsoft Graph with its own identity, without a signed in user.

The delegated and application permissions available are referenced in the Microsoft documentation.

Microsoft-Extractor-Suite’s Get-OAuthPermissions PowerShell cmdlet can be used to enumerate delegated permissions (OAuth2PermissionGrants) and application permissions (AppRoleAssignments) for all accounts:

Get-OAuthPermissions

References

• Wavestone - Raymond CHAN, Younes LAABOUDI - Illicit consent grant attacks targeting Azure and Office 365: still a threat?

• Microsoft - Threat actors misuse OAuth applications to automate financially driven attacks