There is a new phishing technique, but also a way to protect your users from it. Check out this video to learn more.
I set out to disable this and to attempt to audit any existing applications for permissions that gave too much access.
The script starts off with the commands to disable/enable user allowed consent to app permissions. The enabled line is commented out and just for reference. If you want to learn more about this setting, check here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-powershell
Then it attempts to grab all applications for the tenant and parse through the permissions. If something matches our set, it will output it for us.
The last step is to output the current configuration of the user consent setting for a visual inspection that it is in fact empty. {}
Be sure you have the Azure preview installed… for some reason the Get-AzureADMSAuthorizationPolicy is unavailable in the general release. Use UnInstall-Module AzureAD then Install-Module AzureADPreview.
Connect-AzureAD
#Disable user consent to applications
Set-AzureADMSAuthorizationPolicy -Id "authorizationPolicy" -PermissionGrantPolicyIdsAssignedToDefaultUserRole @()
#Enable user consent to applications
#Set-AzureADMSAuthorizationPolicy -Id "authorizationPolicy" -PermissionGrantPolicyIdsAssignedToDefaultUserRole @("managePermissionGrantsForSelf.microsoft-user-default-low")
#Gets ObjectId, AppId, DisplayName of all integrated applications in tenant
$IntApps = Get-AzureADServicePrincipal -All:$true | ? {$_.Tags -eq "WindowsAzureActiveDirectoryIntegratedApp"}
#Gets ObjectId(different), ResourceId, Scope of each application
$Perm = $IntApps | ForEach-Object -Process {Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $_.ObjectId}
#Get Tennant information
$Ten = Get-AzureADTenantDetail
#Checks for known permissions
$output = @()
$IntApps | ForEach-Object {
$scope = Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $_.ObjectId
if (($scope.scope -contains "Mail.Read") -or `
($scope.scope -contains "Mail.Read.Shared") -or `
($scope.scope -contains "Mail.ReadBasic") -or `
($scope.scope -contains "Mail.ReadBasic.All") -or `
($scope.scope -contains "Mail.ReadWrite") -or `
($scope.scope -contains "Mail.ReadWrite.Shared") -or `
($scope.scope -contains "Mail.Send") -or `
($scope.scope -contains "Mail.Send.Shared") -or `
($scope.scope -contains "MailboxSettings.Read") -or `
($scope.scope -contains "MailboxSettings.ReadWrite") -or `
($scope.scope -contains "Calendars.Read") -or `
($scope.scope -contains "Calendars.ReadWrite") -or `
($scope.scope -contains "Contacts.Read") -or `
($scope.scope -contains "Contacts.ReadWrite") -or `
($scope.scope -contains "SecurityActions.Read.All") -or `
($scope.scope -contains "SecurityActions.ReadWrite.All") -or `
($scope.scope -contains "SecurityEvents.Read.All") -or `
($scope.scope -contains "SecurityEvents.ReadWrite.All") -or `
($scope.scope -contains "SMTP.Send") -or `
($scope.scope -contains "TeamMember.Read.All") -or `
($scope.scope -contains "TeamMember.ReadWrite.All") -or `
($scope.scope -contains "TeamMember.ReadWriteNonOwnerRole.All") -or `
($scope.scope -contains "TeamsActivity.Read") -or `
($scope.scope -contains "TeamsActivity.Send") -or `
($scope.scope -contains "User.Export.All") -or `
($scope.scope -contains "User.Invite.All") -or `
($scope.scope -contains "User.ManageIdentities.All") -or `
($scope.scope -contains "Directory.ReadWrite.All") -or `
($scope.scope -contains "Group.ReadWrite.All")) {
$output += [PSCustomObject] @{
Client = $Ten.DisplayName
Name = $_.DisplayName
ObjectID = $_.ObjectId
Scope = $scope.Scope
}
}
}
$output | Out-GridView
$output | Export-CSV -Path "C:\temp\output.csv" -Append -Force
#Get user consent settings for application permissions (Check PermissionGrantPolicyIdsAssignedToDefaultUserRole is empty)
Get-AzureADMSAuthorizationPolicy -Id "authorizationPolicy" | Select PermissionGrantPolicyIdsAssignedToDefaultUserRole
Disconnect-AzureAD