SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Enterprise App and OAuth Consent Risk Audit
description: Audit admin-consented enterprise apps and risky OAuth grants in Microsoft Entra to surface illicit consent and over-privileged service principals.
---
# Enterprise App and OAuth Consent Risk Audit
> **TL;DR:** This skill reviews enterprise applications and OAuth consent grants in Microsoft Entra, then produces a risk-ranked report of over-privileged or illicitly consented apps so your team can revoke dangerous access before it is abused.
## What are OAuth consent grants in Microsoft Entra?
When a user or an administrator approves an application's request for permissions, Microsoft Entra records an OAuth consent grant against the app's service principal. Attackers exploit this through illicit consent phishing, tricking users into granting a malicious enterprise app standing access to mailboxes, files in SharePoint and OneDrive, and Microsoft Graph. This skill inspects those grants alongside Conditional Access posture so security teams can spot risky delegated and application permissions that bypass normal credential controls.
## When should you run this skill?
- "Show me every enterprise app that has admin consent for high-privilege Microsoft Graph permissions."
- "Audit our OAuth grants for signs of illicit consent phishing this quarter."
- "Which third-party apps can read all users' mail or files across the tenant?"
- "We just enabled the user consent restrictions, list apps consented before that change."
- "Find dormant service principals that still hold broad delegated permissions."
- "Prepare an Essential Eight evidence pack for application control over cloud apps."
- "Investigate this suspicious app a user reported after a phishing email."
## How this skill works, step by step
1. Connect read-only to Microsoft Entra and enumerate every enterprise application and its associated service principal.
2. Retrieve each app's delegated (OAuth2PermissionGrant) and application (AppRoleAssignment) permissions to Microsoft Graph and other resources.
3. Flag high-impact scopes such as `Mail.Read`, `Files.ReadWrite.All`, `Directory.ReadWrite.All`, and `full_access_as_app`.
4. Identify who consented (admin versus individual user) and whether tenant-wide admin consent is in place.
5. Cross-reference publisher verification status, app age, and recent sign-in activity to detect dormant or unverified apps.
6. Check whether risky apps are excluded from or covered by relevant Conditional Access policies.
7. Derive a risk score for each app by weighting permission sensitivity, consent type, publisher trust, and activity signals.
8. Rank applications from highest to lowest residual risk and prepare remediation guidance.
## Output format
The skill returns a prioritised table of enterprise apps with their consent and risk findings.
| App name | Permission type | Highest-risk scope | Consented by | Risk score |
| --- | --- | --- | --- | --- |
| Contoso Mail Sync | Application | Mail.Read (all mailboxes) | Admin (tenant-wide) | Critical |
| QuickSign PDF | Delegated | Files.ReadWrite.All | Individual user | High |
A short summary follows the table:
- Total enterprise apps and service principals analysed.
- Count of apps holding critical or high-risk permissions.
- Apps consented by individual users versus tenant administrators.
- Unverified or dormant publishers recommended for review.
## Scope and safety
This skill is read-only by default and makes no changes to your tenant. It inspects configuration and grant metadata only, so consent and access remain exactly as they were before the audit.
This skill does NOT:
- Revoke, disable, or delete any application, service principal, or consent grant.
- Modify Conditional Access policies or user consent settings.
- Read the contents of mailboxes, files, or any user data the apps can access.
- Notify application owners or end users.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Enumerating enterprise apps, OAuth consent grants, and app role assignments | Microsoft Entra ID Free |
| Reviewing Conditional Access coverage for risky apps | Microsoft Entra ID P1 |
| Correlating risky sign-in activity to flag dormant or suspicious apps | Microsoft Entra ID P2 |
### Least-privilege roles
- Security Reader, for read-only visibility of enterprise apps, consent grants, and Conditional Access posture.
- Global Reader, where broader directory read access across the tenant is required.
### Microsoft Graph permissions (read-only)
- `Application.Read.All` — reads enterprise applications, service principals, OAuth2 permission grants, and app role assignments.
- `Directory.Read.All` — reads who consented and the directory context for each app.
- `Policy.Read.All` — reads Conditional Access policies to check whether risky apps are covered.
- `AuditLog.Read.All` — reads sign-in activity to detect dormant or recently active service principals.
## Sources and compliance
- [Manage app consent requests in Microsoft Entra](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-consent-requests)
- [Incident response playbook: app consent grant investigation](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)
- Supports the Essential Eight control for restricting and monitoring application access to cloud resources, aligning with application control intent.
- Maps to ISM controls for the authorisation, monitoring, and review of third-party application access to organisational data.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Enterprise App and OAuth Consent Risk Audit
TL;DR: This skill reviews enterprise applications and OAuth consent grants in Microsoft Entra, then produces a risk-ranked report of over-privileged or illicitly consented apps so your team can revoke dangerous access before it is abused.
What are OAuth consent grants in Microsoft Entra?
When a user or an administrator approves an application’s request for permissions, Microsoft Entra records an OAuth consent grant against the app’s service principal. Attackers exploit this through illicit consent phishing, tricking users into granting a malicious enterprise app standing access to mailboxes, files in SharePoint and OneDrive, and Microsoft Graph. This skill inspects those grants alongside Conditional Access posture so security teams can spot risky delegated and application permissions that bypass normal credential controls.
When should you run this skill?
- “Show me every enterprise app that has admin consent for high-privilege Microsoft Graph permissions.”
- “Audit our OAuth grants for signs of illicit consent phishing this quarter.”
- “Which third-party apps can read all users’ mail or files across the tenant?”
- “We just enabled the user consent restrictions, list apps consented before that change.”
- “Find dormant service principals that still hold broad delegated permissions.”
- “Prepare an Essential Eight evidence pack for application control over cloud apps.”
- “Investigate this suspicious app a user reported after a phishing email.”
How this skill works, step by step
- Connect read-only to Microsoft Entra and enumerate every enterprise application and its associated service principal.
- Retrieve each app’s delegated (OAuth2PermissionGrant) and application (AppRoleAssignment) permissions to Microsoft Graph and other resources.
- Flag high-impact scopes such as
Mail.Read,Files.ReadWrite.All,Directory.ReadWrite.All, andfull_access_as_app. - Identify who consented (admin versus individual user) and whether tenant-wide admin consent is in place.
- Cross-reference publisher verification status, app age, and recent sign-in activity to detect dormant or unverified apps.
- Check whether risky apps are excluded from or covered by relevant Conditional Access policies.
- Derive a risk score for each app by weighting permission sensitivity, consent type, publisher trust, and activity signals.
- Rank applications from highest to lowest residual risk and prepare remediation guidance.
Output format
The skill returns a prioritised table of enterprise apps with their consent and risk findings.
| App name | Permission type | Highest-risk scope | Consented by | Risk score |
|---|---|---|---|---|
| Contoso Mail Sync | Application | Mail.Read (all mailboxes) | Admin (tenant-wide) | Critical |
| QuickSign PDF | Delegated | Files.ReadWrite.All | Individual user | High |
A short summary follows the table:
- Total enterprise apps and service principals analysed.
- Count of apps holding critical or high-risk permissions.
- Apps consented by individual users versus tenant administrators.
- Unverified or dormant publishers recommended for review.
Scope and safety
This skill is read-only by default and makes no changes to your tenant. It inspects configuration and grant metadata only, so consent and access remain exactly as they were before the audit.
This skill does NOT:
- Revoke, disable, or delete any application, service principal, or consent grant.
- Modify Conditional Access policies or user consent settings.
- Read the contents of mailboxes, files, or any user data the apps can access.
- Notify application owners or end users.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Enumerating enterprise apps, OAuth consent grants, and app role assignments | Microsoft Entra ID Free |
| Reviewing Conditional Access coverage for risky apps | Microsoft Entra ID P1 |
| Correlating risky sign-in activity to flag dormant or suspicious apps | Microsoft Entra ID P2 |
Least-privilege roles
- Security Reader, for read-only visibility of enterprise apps, consent grants, and Conditional Access posture.
- Global Reader, where broader directory read access across the tenant is required.
Microsoft Graph permissions (read-only)
Application.Read.All— reads enterprise applications, service principals, OAuth2 permission grants, and app role assignments.Directory.Read.All— reads who consented and the directory context for each app.Policy.Read.All— reads Conditional Access policies to check whether risky apps are covered.AuditLog.Read.All— reads sign-in activity to detect dormant or recently active service principals.
Sources and compliance
- Manage app consent requests in Microsoft Entra
- Incident response playbook: app consent grant investigation
- Supports the Essential Eight control for restricting and monitoring application access to cloud resources, aligning with application control intent.
- Maps to ISM controls for the authorisation, monitoring, and review of third-party application access to organisational data.
- ASD Essential Eight Maturity Model
- Output in Australian English.
Last updated on