Skip to content
Threat Feed
high threat

Azure AD Tenant Wide Admin Consent Granted

Detection of admin consent granted to an application within an Azure AD tenant which could lead to data exfiltration and persistence.

This analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category, and utilizes the azure:monitor:aad sourcetype. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. The detection is sourced from Splunk's ES Content and adapted for broader use. Successfully gaining admin consent can grant attackers persistent access and control over the Azure AD environment.

Attack Chain

  1. An attacker compromises an administrator account through phishing or credential stuffing.
  2. The attacker logs into the Azure portal using the compromised administrator credentials.
  3. The attacker navigates to the Azure Active Directory section.
  4. The attacker registers a malicious application or uses an existing compromised application.
  5. The attacker requests tenant-wide admin consent for the malicious application. This often involves tricking the administrator into approving the request.
  6. The administrator grants consent, either unknowingly or due to social engineering.
  7. The malicious application gains access to data across the entire tenant based on the granted permissions.
  8. The attacker uses the application's permissions to exfiltrate sensitive data, establish persistence, or perform other malicious actions.

Impact

Successful exploitation allows attackers to gain extensive and persistent access to sensitive data within the Azure AD tenant. This can lead to data exfiltration, espionage, further malicious activities, and potential compliance violations. The impact spans across all applications and data within the tenant that the application has been granted access to. Lateral movement becomes trivial, and the attacker can establish a strong foothold within the cloud environment.

Recommendation

  • Deploy the Sigma rule "Azure AD Tenant Wide Admin Consent Granted" to your SIEM and tune for your environment.
  • Investigate any instances of admin consent being granted, especially if the application is unfamiliar or the request seems suspicious. Reference the detection results by using the provided drilldown searches.
  • Implement multi-factor authentication (MFA) for all administrator accounts to mitigate the risk of compromised credentials.
  • Regularly review and audit application permissions within Azure AD to identify and remove any unnecessary or overly permissive consents.
  • Monitor Azure AD audit logs for unusual activity, such as unexpected application registrations or consent requests. Enable azure:monitor:aad sourcetype and Auditlogs log category.

Detection coverage 2

Azure AD Tenant Wide Admin Consent Granted

high

Detects when an admin consent is granted to an application for the entire Azure AD tenant

sigma tactics: persistence techniques: T1098.003 sources: dns_query, windows

Azure AD Admin Consent via Modified Properties

medium

Detects admin consent based on modified properties in Azure AD audit logs.

sigma tactics: persistence techniques: T1098.003 sources: file_event, windows

Detection queries are available on the platform. Get full rules →