Skip to content

Consent To Application

Azure

Consent To Application

service: Azure - Microsoft Entra ID
techniques:

Event

Records an admin or user granting an Entra ID application permission to access resources via an OAuth 2.0 consent grant.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud (Global Admin via the elevateAccess chain) grants admin consent to the BoggartImpersonator application for the Mail.Read, Files.Read.All, and User.Read.All Microsoft Graph delegated permissions. Tenant-wide admin consent means every user in the tenant is implicitly consenting — the application can now read mail/files/users for the whole organisation without further user interaction. This is the textbook T1528 illicit consent grant.

{
"id": "Directory_90000000-0000-4000-8000-000001101111_6E5D2_38492170",
"category": "ApplicationManagement",
"correlationId": "90000000-0000-4000-8000-000001101111",
"result": "success",
"resultReason": "",
"activityDisplayName": "Consent to application",
"activityDateTime": "2026-04-15T19:24:17.0381728Z",
"loggedByService": "Core Directory",
"operationType": "Assign",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "40000000-0000-4000-8000-001010011011",
"displayName": "BoggartImpersonator",
"type": "ServicePrincipal",
"userPrincipalName": null,
"groupType": null,
"modifiedProperties": [
{
"displayName": "ConsentAction.Permissions",
"oldValue": "[]",
"newValue": "[\"Scope: Mail.Read, Files.Read.All, User.Read.All\"]"
},
{
"displayName": "ConsentContext.IsAdminConsent",
"oldValue": "[]",
"newValue": "[\"True\"]"
},
{
"displayName": "ConsentContext.OnBehalfOfAll",
"oldValue": "[]",
"newValue": "[\"True\"]"
},
{
"displayName": "ConsentContext.Tags",
"oldValue": "[]",
"newValue": "[\"WindowsAzureActiveDirectoryIntegratedApp\"]"
},
{
"displayName": "TargetId.ServicePrincipalNames",
"oldValue": "[]",
"newValue": "[\"40000000-0000-4000-8000-001010011010\"]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"ConsentAction.Permissions, ConsentContext.IsAdminConsent, ConsentContext.OnBehalfOfAll, ConsentContext.Tags, TargetId.ServicePrincipalNames\""
}
]
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
}
]
}

MITRE ATT&CK Mapping

Tactics: Persistence Privilege Escalation Credential Access

Techniques:
  • T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...