Azure AD Suspicious OAuth Application

View all detections
Azure AD Suspicious OAuth Application


  • A third-party cloud application has requested excessive or risky access, which may allow malicious activities to be performed on behalf of the granter of the permission.

Possible Root Causes

  • An attacker is trying to trick the user into delegating permissions to them which will enable further malicious activities.
  • A new legitimate 3rd party application is installed in the organization which requires elevated permissions from users.

Business Impact

  • Malicious applications are able to perform actions with delegated permissions without a user’s knowledge and may be difficult to detect.
  • Depending on the delegated privileges involved, the impact may range from single account takeover to full subscription compromise.

Steps to Verify

  • Validate that this is an authorized application which has been vetted for risk by the security team.