Entra ID OAuth Consent Attack: Why Your MFA Is Useless Against Illicit Grants

(00:00:00) The MFA Illusion (00:00:00) Consent Bypassing MFA (00:00:54) The Power of OAuth Consent (00:02:08) Persistence and Refresh Tokens (00:02:27) Admin Consent: The Ultimate Key (00:05:47) The Three Non-Negotiable Controls (00:12:11) Case Study: MFA Fails to Stop OAuth Attacks (00:16:48) Detection and Remediation Strategies (00:25:06) Hardening and Ongoing Monitoring (00:28:37) The Consent Control Key Takeaway In this episode of M365.fm, Mirko Peters explains why your MFA and password reset playbooks do nothing against illicit OAuth consent attacks in Entra ID — and shows how attackers use refresh tokens and offline_access to stay in your tenant long after you “kick them out.”WHAT YOU WILL LEARNWhat illicit OAuth consent grants actually are and why this is authorization abuse, not credential theftHow a friendly Microsoft consent screen hides powerful scopes like Mail.ReadWrite, Files.ReadWrite.All, and Directory.ReadWrite.AllWhy offline_access and refresh tokens keep attackers in your tenant even after password resets, forced sign‑outs, and MFA enforcementThe three non‑negotiable Entra controls that collapse most of this attack surface: user consent lockdown, verified publishers, and admin consent workflowHow to detect, prove, and remediate malicious OAuth grants using Entra audit logs, service principals, and Graph / PowerShell queriesA step‑by‑step case study that proves why your current “reset + revoke sessions” incident response is not enoughTHE CORE INSIGHTMost Microsoft 365 incident playbooks still assume “user account compromised” means “change password, reset sessions, enforce MFA.” In an OAuth consent attack, the attacker doesn’t need your password again — they already have a standing grant with offline_access and Graph scopes that survive all of that.The real control point is not the login; it’s the consent event that creates an OAuth2PermissionGrant and a service principal with delegated or application permissions to your data.This episode argues that defending Entra ID means treating app consent, service principals, and scopes as first‑class security objects — and designing your policies, detections, and incident response around them.KEY TOPICS COVEREDIllicit consent grants 101: delegated vs application permissions, offline_access, and why MFA never firesWhy refresh tokens and OAuth grants outlive password resets and “force sign‑out” actionsThe three critical Entra configurations: lock down user consent, require verified publishers, and enforce admin consent workflow with least‑privilege scopesHigh‑signal audit events to hunt: Add servicePrincipalOAuth2PermissionGrant, Add passwordCredential, Add keyCredential, Update applicationHow to inventory risky apps and grants (offline_access + * .All scopes, tenant‑wide consents, privileged users)A practical remediation and hardening playbook: purge bad grants, rotate secrets, delete rogue service principals, and build a recurring consent hygiene routineWHO THIS EPISODE IS FORThis episode is essential for CISOs, identity and access management teams, SOC and detection engineers, and cloud security/platform teams running Microsoft 365 and Entra ID.If your organization still treats MFA as the final line of defense and assumes password resets “fix” account‑based attacks, this conversation is your wake‑up call on OAuth, consent, and refresh‑token‑based persistence.ABOUT THE HOSTMirko Peters is a Microsoft 365 consultant and digital workplace architect focused on building identity‑first, token‑aware security architectures on the Microsoft cloud.Through M365.fm, Mirko shares practical attack walkthroughs, Entra governance patterns, and real‑world detection and hardening strategies that help security teams close the OAuth consent gap before it becomes their next breach reportBecome a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.