AAD App Consent and Role Abuse

Description

Applications (enterprise apps/service principals) with excessive Graph or application permissions can read mail and files, manage users/groups, or access sensitive APIs. Attackers may phish admin consent to a multi‑tenant app or exploit mis‑scoped enterprise apps to persist and laterally move using app‑only tokens.

Examples

List App Permissions

az ad app permission list --id <appId>
az ad sp show --id <appId> --query 'appRolesAssignedTo'
az rest --method GET --url https://graph.microsoft.com/v1.0/servicePrincipals/<spObjectId>/appRoleAssignments

Test Over-Privileged Graph Calls

Use granted tokens to call Graph endpoints beyond intended scope.

az rest --method GET --url https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId%20eq%20'<spObjectId>'

Remediation

Enforce admin consent workflows; require verified publishers.
Limit permissions to least privilege; prefer delegated scopes and resource‑specific consent; remove app‑only where not necessary.
Restrict user consent via policy; periodically review enterprise apps and revoke unused permissions; enable conditional access for apps where applicable.

Haxoris Wiki

AAD App Consent and Role Abuse

Description

Examples

List App Permissions

Test Over-Privileged Graph Calls

Review Consent Grants

Remediation