Contact Sales
+1 (614) 423-6718
Support
Blog
Partners
Downloads

Microsoft Entra app with risky write permissions

Home > Threat Directory > Microsoft Entra app with risky write permissions

Microsoft Entra app with risky write permissions

Cayosoft Threat Definition CTD-000010

Table of Contents

Risk Summary
Description
Real-World Scenario
How to Detect (Cayosoft Guardian)
Remediation Steps
How to Prevent It
FAQ
References
Final Thought
Protect Your Active Directory

Tune into Guardians of the Directory Podcast.

Guardians of the Directory
YouTube
Spotify
Apple

Like This Article?​

Subscribe to our LinkedIn Newsletter to receive more educational content

Subscribe now

Risk Summary

Apps with risky permissions pose a threat to a Microsoft Entra tenant by enabling long-term, low-visibility access to sensitive data and the ability to modify tenant configuration.

  • Severity: Critical
  • Platform: Entra ID
  • Category: Enterprise applications
  • MITRE ATT&CK Tactics: Collection, Defense Evasion
  • MITRE D3FEND Tactics: Application Configuration Hardening

Description

Apps with risky permissions pose a threat to your Microsoft Entra tenant. Threat actors can use such Microsoft Entra apps for long-term lowered visibility access to contacts, mail, notes, mailbox settings, user directory, and files. Write permissions allow a threat actor to modify your environment to inflict damage or establish persistence. Microsoft describes the consent grant attack:

  • An attacker registers an app with an OAuth 2.0 provider, such as Microsoft Entra ID.
  • The app is configured in a way that makes it seem legitimate. For example, attackers might use the name of a popular product available in the same ecosystem.
  • The attacker gets a link directly to users via email phishing, compromised websites, or other techniques.
  • The user selects the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
  • If a user selects Accept, the app is granted permissions to access sensitive data.
  • The app gets an authorization code, which it redeems for an access token and potentially a refresh token. The access token is used to make API calls on behalf of the user.
  • If accepted, the attacker can access mails, forwarding rules, files, contacts, notes, profile, and other sensitive data and resources.
Cayosoft Guardian Protector™

Real-World Scenario

A phishing campaign convinces a project manager to grant consent to a look-alike “Docs Sync Assistant” app requesting Mail.Send, Files.ReadWrite.All, and Directory.ReadWrite.All. The attacker uses refresh tokens to persist and silently exfiltrate files and emails while creating hidden mailbox forwarding rules. With directory write permissions, the attacker modifies service principal properties to blend in and assigns additional app roles to expand access without creating new user accounts. Business impact includes unauthorized data sharing, regulatory exposure, and configuration tampering that survives password resets. Cayosoft Guardian flags the service principal for risky write permissions and raises an alert before further lateral movement.

Stop Privilege Escalation—Then Undo It with Cayosoft Guardian

Real-time alerts across AD & Entra ID with one-click rollback.

See it in action

How to Detect (Cayosoft Guardian)

1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.

2.) View All Alerts and search for CTD-000010 or Microsoft Entra app with risky write permissions.

3.) Open any alert and Click for details (from Raise Threat Alert action).

Remediation Steps

Using the remediation advice in Cayosoft Guardian, follow these steps to remove the vulnerability:
  1. ) To review applications with risky permissions and to revoke permissions:
      1. ) Sign in to the Microsoft Entra admin center as an administrator.
      2. ) Under Identity, click Applications > Enterprise Applications.
      3. ) Modify filters if required.
      4. ) Select an app.
      5. ) Review app properties.
      6. ) Click Permissions.
      7. ) Click Review permissions to revoke permissions if necessary.

    .

  2. ) To get a detailed report on the apps’ permissions:
      1. ) Sign in to the computer that you will run the script from with local administrator rights.
      2. ) Download or copy the Get-AzureADPSPermissions.ps1 script from GitHub to a folder from which you will run the script. This will be the same folder to which the output “permissions.csv” file will be written.
      3. ) Open a PowerShell session as an administrator and open the folder where you saved the script to.
      4. ) Connect to your directory using the Connect-AzureAD cmdlet.
      5. ) Run this PowerShell command: .\Get-AzureADPSPermissions.ps1 | Export-csv -Path “Permissions.csv” -NoTypeInformation.
      6. ) Check Permissions.csv file.
      7. ) In the ConsentType column (column G) search for the value “AllPrincipals“. The AllPrincipals permission allows the client application to access everyone’s content in the tenancy. Native Microsoft 365 applications need this permission to work correctly. Every non-Microsoft application with this permission should be reviewed carefully.
      8. ) In the Permission column (column F) review the permissions that each delegated application has to content. Look for “Read” and “Write” permission or “All” permission, and review these carefully because they may not be appropriate.
      9. ) Review the specific users that have consents granted. If high profile or high impact users have inappropriate consents granted, you should investigate further.
      10. ) In the ClientDisplayName column (column C) look for apps that seem suspicious. Apps with misspelled names, super bland names, or hacker-sounding names should be reviewed carefully.

    .

  3. ) To disable an application:
      1. ) Sign in to the Microsoft Entra admin center as the global administrator for your directory.
      2. ) Under Identity, click Applications > Enterprise Applications.
      3. ) Modify filters if required.
      4. ) Search for the application you want to disable a user from signing in, and select the application.
      5. ) Select Properties.
      6. ) Select No for Enabled for users to sign-in?.
      7. ) Select Save.

How to Prevent It

Cayosoft Guardian can proactively detect and alert on Microsoft Entra app with risky write permissions. It continuously monitors Active Directory, Entra ID, Microsoft 365, and Intune for over 200 misconfigurations, providing early warning before attackers can exploit them.

References

FAQ

In the Entra Admin Center, revoke unnecessary permissions, and for clearly malicious apps, disable user sign-in by setting “Enabled for users to sign-in?” to No.

By using Cayosoft Guardian’s Threat Detection Dashboard and filtering alerts by CTD-000010. Alternatively, administrators can run the PowerShell script Get-AzureADPSPermissions.ps1 to export permissions and review apps with broad scopes or suspicious names.

The most dangerous are write- and all-scopes such as Directory.*Write*, User.ManageCreds.All, Mail.Send*, Files.*Write*, and AppRoleAssignment.*Write*. These allow attackers to modify the directory, manage credentials, and exfiltrate data.

Final Thought

Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like Microsoft Entra app with risky write permissions, you reduce attack surfaces and strengthen your organization’s overall security posture.

Tagged