Consent To Application
Azure
Consent To Application
Event
Records an admin or user granting an Entra ID application permission to access resources via an OAuth 2.0 consent grant.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud (Global Admin via the elevateAccess chain) grants admin consent to the BoggartImpersonator application for the Mail.Read, Files.Read.All, and User.Read.All Microsoft Graph delegated permissions. Tenant-wide admin consent means every user in the tenant is implicitly consenting — the application can now read mail/files/users for the whole organisation without further user interaction. This is the textbook T1528 illicit consent grant.
{ "id": "Directory_90000000-0000-4000-8000-000001101111_6E5D2_38492170", "category": "ApplicationManagement", "correlationId": "90000000-0000-4000-8000-000001101111", "result": "success", "resultReason": "", "activityDisplayName": "Consent to application", "activityDateTime": "2026-04-15T19:24:17.0381728Z", "loggedByService": "Core Directory", "operationType": "Assign", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "40000000-0000-4000-8000-001010011011", "displayName": "BoggartImpersonator", "type": "ServicePrincipal", "userPrincipalName": null, "groupType": null, "modifiedProperties": [ { "displayName": "ConsentAction.Permissions", "oldValue": "[]", "newValue": "[\"Scope: Mail.Read, Files.Read.All, User.Read.All\"]" }, { "displayName": "ConsentContext.IsAdminConsent", "oldValue": "[]", "newValue": "[\"True\"]" }, { "displayName": "ConsentContext.OnBehalfOfAll", "oldValue": "[]", "newValue": "[\"True\"]" }, { "displayName": "ConsentContext.Tags", "oldValue": "[]", "newValue": "[\"WindowsAzureActiveDirectoryIntegratedApp\"]" }, { "displayName": "TargetId.ServicePrincipalNames", "oldValue": "[]", "newValue": "[\"40000000-0000-4000-8000-001010011010\"]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"ConsentAction.Permissions, ConsentContext.IsAdminConsent, ConsentContext.OnBehalfOfAll, ConsentContext.Tags, TargetId.ServicePrincipalNames\"" } ] } ], "additionalDetails": [ { "key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" } ]}MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation Credential Access
Techniques:
- T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...