OAuth App Consent Followed by Immediate Silent Authentication
13 O Auth Consent Immediate Abuse
Query
let RecentConsents =
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any (
"Consent to application",
"Add app role assignment",
"Add delegated permission grant"
)
| extend ActorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend AppId = tostring(TargetResources[0].id)
| extend AppName = tostring(TargetResources[0].displayName)
| where isnotempty(ActorUPN)
| project ConsentTime=TimeGenerated, ActorUPN, AppId, AppName, OperationName;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| join kind=inner RecentConsents
on $left.UserPrincipalName == $right.ActorUPN, $left.AppId == $right.AppId
| where TimeGenerated > ConsentTime
and (TimeGenerated - ConsentTime) < 24h
| summarize
NI_Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
FirstUse = min(TimeGenerated)
by UserPrincipalName, AppName, AppId, ConsentTime, OperationName
| extend IPAddress = tostring(IPs[0])
| order by ConsentTime descExplanation
This query is designed to detect potential security threats in Azure Active Directory by identifying suspicious OAuth app consent activities. Here's a simplified explanation:
-
Purpose: The query looks for instances where a user grants consent to an OAuth application, and then that application starts making non-interactive sign-ins (silent authentications) within 24 hours. This pattern can indicate a malicious app trying to gain unauthorized access to user data, often through phishing attacks.
-
Data Sources: It uses data from Azure AD Audit Logs and Non-Interactive User Sign-In Logs to track user consent actions and subsequent app activities.
-
Process:
- It first identifies recent consents given to applications by users within the last 24 hours.
- Then, it checks if these applications have started making non-interactive sign-ins within the same 24-hour period after consent was granted.
- It counts these sign-ins and collects information about the IP addresses and locations from which these sign-ins originated.
-
Output: The query generates a summary of these activities, including the number of sign-ins, the IP addresses used, and the countries from which the sign-ins occurred. It orders the results by the time of consent.
-
Alerting: If any such suspicious activity is detected, an alert is generated with details like the user who granted consent, the app name, and the number of sign-ins. The alert suggests investigating whether the consent was obtained through phishing.
-
Severity and Tactics: The query is marked with high severity and is associated with tactics like Credential Access, Persistence, and Initial Access, aligning with specific MITRE ATT&CK techniques related to stealing application access tokens and phishing.
-
Incident Management: If an alert is triggered, it can create an incident in the security system, with options for grouping related alerts to manage them efficiently.
Overall, this query helps security teams identify and respond to potential illicit consent grant attacks, protecting sensitive resources from unauthorized access.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 24h