Consent phishing is a growing attack vector
Attackers register malicious applications that request broad OAuth permissions. When a user clicks "Accept," the attacker gains persistent API access to that user's email, files, and directory data.
Find the OAuth grants in your tenant that should not be there.
OAuth consent grant attacks are one of the most common ways attackers gain persistent access to Microsoft 365 data. The Entra OAuth Consent Auditor scans your tenant for risky, overprivileged, or illicit OAuth grants and flags the ones that need investigation.
Why it matters
Illicit consent grants are hard to detect and easy to miss.
Overprivileged apps accumulate silently
Legitimate applications often request more permissions than they need, or retain permissions after their purpose has ended. Each one is an expanded attack surface if the app or its credentials are compromised.
Admin consent can be granted without oversight
Admin consent grants apply tenant-wide and give applications access to all users' data. A single overly broad admin consent can expose the entire organization.
Native Entra UI makes review difficult
The built-in Entra admin center does not provide a consolidated view of consent grants, risk levels, or permission scope across all applications. This tool surfaces what the native UI obscures.
Built with
Microsoft Graph API, tenant-scoped, read-only.
FAQ
Common questions about the Entra OAuth Consent Auditor.
An OAuth consent grant attack tricks a user into granting a malicious application access to their data by approving OAuth permissions. In Entra ID, this can give attackers access to email, files, and directory data without needing the user's password.
Yes. The Entra OAuth Consent Auditor is open source and free to use under its license on GitHub.
The auditor needs read access to application registrations, service principals, and OAuth consent grants in your Entra ID tenant. Specific Graph API permissions are documented in the repository.
Entra ID is the current name for what was previously Azure Active Directory. The tool works with any Microsoft Entra ID tenant, regardless of which name your organization uses.
Built by Orygn
The Entra OAuth Consent Auditor is one of several identity security tools Orygn has published.
Orygn builds custom software, security tooling, and identity-focused systems. This tool is part of a broader set of open-source Entra ID security utilities for tenant hygiene and threat detection.
View on GitHub