Preventing Risky OAuth Consent: How to Stop Users Granting Access to Unverified Apps in Microsoft Entra ID.

Ciaran Doherty, AfCIIS, MBCSCiaran Doherty, AfCIIS, MBCS
2 min read

Table of contents

Introduction.

Modern SaaS platforms frequently ask users to grant access to their Microsoft 365 data via OAuth permissions. While this is intended to improve integrations and productivity, it also presents a significant security risk — especially when users unknowingly grant access to unverified or overly permissive third-party applications.

This post outlines how to prevent users in your organisation from accepting dangerous OAuth prompts like the one shown below — where a third-party app requests full access to mail, calendars, and user profiles.

The Risk.

Attackers — or poorly vetted apps — can abuse the Microsoft identity platform to request OAuth permissions under the guise of being helpful tools. If granted, these apps can:

  • Read/send emails on the user’s behalf

  • Harvest calendars, personal information, or attachments

  • Maintain long-term access even after the user signs out

For example, the app “HubSpot Sales” requests:

  • Full read/write access to mail.

  • Calendar access.

  • Profile and sign-in permissions.

This is not a mild integration — it’s full impersonation. And if the app isn't reviewed properly by IT, the impact could be severe.

Step-by-step: How to block user consent to unverified apps.

Microsoft Entra ID (formerly Azure AD) allows fine-grained control over user consent. Here’s how to lock this down:

  1. Access the Microsoft Entra ID portal.

    1. Log in to https://entra.microsoft.com.

  2. Navigate to:

    1. Identity → Applications → Enterprise Applications → Consent and permissions.

  3. Select either:

    1. Allow user consent for apps from verified publishers, for selected permissions (Recommended).

    2. Do not allow user consent.

Enable the admin consent workflow.

Allow users to request admin approval when they encounter apps that require consent.

To do this:

  1. Navigate to:

    1. Identity → Applications → Enterprise Applications → Consent and permissions → Admin consent requests.

  2. Select Yes to enable the feature.

  3. Specify users, groups, or roles who can review admin consent requests.

Conclusion.

OAuth abuse remains one of the more subtle but dangerous security threats in cloud environments. The good news is that Microsoft Entra provides the controls you need, but only if you configure them correctly.

By disabling broad user consent and requiring admin approval, you safeguard organisational data from silent exfiltration and abuse.

Refer to Microsoft Learn - Configure how users consent to applications for more information.

Need help hardening your Microsoft 365 tenant? Feel free to reach out or check my other blogs at blog.cdoherty.co.uk

0
Subscribe to my newsletter

Read articles from Ciaran Doherty, AfCIIS, MBCS directly inside your inbox. Subscribe to the newsletter, and don't miss out.

MicrosoftEntra IDmicrosoft-entra-idoauthEnterprise Applications SaaSApplications

Written by

Ciaran Doherty, AfCIIS, MBCS
Ciaran Doherty, AfCIIS, MBCS