Episode Details
Back to Episodes
Entra ID OAuth Consent Attack: Why Your MFA Is Useless Against Illicit Grants
Season 1
Published 4 months, 3 weeks ago
Description
(00:00:00) The MFA Illusion
(00:00:00) Consent Bypassing MFA
(00:00:54) The Power of OAuth Consent
(00:02:08) Persistence and Refresh Tokens
(00:02:27) Admin Consent: The Ultimate Key
(00:05:47) The Three Non-Negotiable Controls
(00:12:11) Case Study: MFA Fails to Stop OAuth Attacks
(00:16:48) Detection and Remediation Strategies
(00:25:06) Hardening and Ongoing Monitoring
(00:28:37) The Consent Control Key Takeaway
In this episode of M365.fm, Mirko Peters explains why your MFA and password reset playbooks do nothing against illicit OAuth consent attacks in Entra ID — and shows how attackers use refresh tokens and offline_access to stay in your tenant long after you “kick them out.”
WHAT YOU WILL LEARN
Most Microsoft 365 incident playbooks still assume “user account compromised” means “change password, reset sessions, enforce MFA.” In an OAuth consent attack, the attacker doesn’t need your password again — they already have a standing grant with offline_access and Graph scopes that survive all of that.
The real control point is not the login; it’s the consent event that creates an OAuth2PermissionGrant and a service principal with delegated or application permissions to your data.
This episode argues that defending Entra ID means treating app consent, service principals, and scopes as first‑class security objects — and designing your policies, detections, and incident response around them.
KEY TOPICS COVERED
(00:00:00) Consent Bypassing MFA
(00:00:54) The Power of OAuth Consent
(00:02:08) Persistence and Refresh Tokens
(00:02:27) Admin Consent: The Ultimate Key
(00:05:47) The Three Non-Negotiable Controls
(00:12:11) Case Study: MFA Fails to Stop OAuth Attacks
(00:16:48) Detection and Remediation Strategies
(00:25:06) Hardening and Ongoing Monitoring
(00:28:37) The Consent Control Key Takeaway
In this episode of M365.fm, Mirko Peters explains why your MFA and password reset playbooks do nothing against illicit OAuth consent attacks in Entra ID — and shows how attackers use refresh tokens and offline_access to stay in your tenant long after you “kick them out.”
WHAT YOU WILL LEARN
- What illicit OAuth consent grants actually are and why this is authorization abuse, not credential theft
- How a friendly Microsoft consent screen hides powerful scopes like Mail.ReadWrite, Files.ReadWrite.All, and Directory.ReadWrite.All
- Why offline_access and refresh tokens keep attackers in your tenant even after password resets, forced sign‑outs, and MFA enforcement
- The three non‑negotiable Entra controls that collapse most of this attack surface: user consent lockdown, verified publishers, and admin consent workflow
- How to detect, prove, and remediate malicious OAuth grants using Entra audit logs, service principals, and Graph / PowerShell queries
- A step‑by‑step case study that proves why your current “reset + revoke sessions” incident response is not enough
Most Microsoft 365 incident playbooks still assume “user account compromised” means “change password, reset sessions, enforce MFA.” In an OAuth consent attack, the attacker doesn’t need your password again — they already have a standing grant with offline_access and Graph scopes that survive all of that.
The real control point is not the login; it’s the consent event that creates an OAuth2PermissionGrant and a service principal with delegated or application permissions to your data.
This episode argues that defending Entra ID means treating app consent, service principals, and scopes as first‑class security objects — and designing your policies, detections, and incident response around them.
KEY TOPICS COVERED
- Illicit consent grants 101: delegated vs application permissions, offline_access, and why MFA never fires
- Why refresh tokens and OAuth grants outlive password resets and “force sign‑out” actions
Listen Now
Love PodBriefly?
If you like Podbriefly.com, please consider donating to support the ongoing development.
Support Us