Monitoring with PowerShell: Monitoring oAuth application changes

Attackers these days are using more and more sneaky techniques to stay inside of your M365 tenant after a breach, oAuth phishing is picking up on popularity real fast and we’re seeing that with these attackers they’re no longer just targeting users, but also focus on administrators.

Of course, for the user portion you can easily protect yourself by disabling users to approve applications, check out my older blog about that here. Admins are a different story. You can’t disable this setting for admins and let’s be honest; mistakes happen. Sometimes you approve an application that wants too many permissions or sometimes there’s an admin that is not 100% sure on what they are doing. This blog helps you cover those, or cover situations in which you cannot disable app consent by normal users.

The Script

The script uses the secure application model, and connects to the graph API to compare the differences between existing applications compared to the last request you made, and as such will alert whenever it finds a modified, deleted, or approved application

######### Secrets #########
$ApplicationId = 'SecureappModelApplicationID'
$ApplicationSecret = 'SecureAppModelSceret'
$RefreshToken = 'SecureAppModelRefreshID'
######### Secrets #########
write-host "Creating credentials and tokens." -ForegroundColor Green
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | Convertto-SecureString -AsPlainText -Force))
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes '' -ServicePrincipal
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes '' -ServicePrincipal
write-host "Creating body to request Graph access for each client." -ForegroundColor Green
$body = @{
    'resource'      = ''
    'client_id'     = $ApplicationId
    'client_secret' = $ApplicationSecret
    'grant_type'    = "client_credentials"
    'scope'         = "openid"

write-host "Connecting to Office365 to get all tenants." -ForegroundColor Green
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$customers = Get-MsolPartnerContract -All
foreach ($Customer in $Customers) {
    $ClientToken = Invoke-RestMethod -Method post -Uri "$($customer.tenantid)/oauth2/token" -Body $body -ErrorAction Stop
    $headers = @{ "Authorization" = "Bearer $($ClientToken.access_token)" }
    write-host "Looking for changed applications for $($customer.DefaultDomainName)" -ForegroundColor Green
    $ApplicationsURI = "`$deltaToken=latest"
    $URI = (Invoke-RestMethod -Uri $ApplicationsURI -Headers $Headers -Method Get -ContentType "application/json").'@odata.deltaLink'
    $Requests = do {
        $SingleReq = (Invoke-RestMethod -Uri $URI -Headers $Headers -Method Get -ContentType "application/json")
        $URI = $SingleReq.'@odata.nextLink'
    } while ($URI)
if($Requests) { 
    Write-Warning "Found modification in applications for $($customer.DefaultDomainName):"

As always, Happy PowerShelling!

1 Comment

  1. Ryan June 17, 2021 at 12:36 am

    I am a little confused about how it works.
    Am I right in thinking that the API remembers the last time I called it and just returns the changes?
    Can this be used for all data pulled via Graph?

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.