Featured image of post Monitoring with PowerShell: Monitoring oAuth application changes

Monitoring with PowerShell: Monitoring oAuth application changes

Attackers these days are using more and more sneaky techniques to stay inside of your M365 tenant after a breach, oAuth phishing is picking up on popularity real fast and we’re seeing that with these attackers they’re no longer just targeting users, but also focus on administrators.

Of course, for the user portion you can easily protect yourself by disabling users to approve applications, check out my older blog about that here. Admins are a different story. You can’t disable this setting for admins and let’s be honest; mistakes happen. Sometimes you approve an application that wants too many permissions or sometimes there’s an admin that is not 100% sure on what they are doing. This blog helps you cover those, or cover situations in which you cannot disable app consent by normal users.

The Script

The script uses the secure application model, and connects to the graph API to compare the differences between existing applications compared to the last request you made, and as such will alert whenever it finds a modified, deleted, or approved application

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
######### Secrets #########
$ApplicationId = 'SecureappModelApplicationID'
$ApplicationSecret = 'SecureAppModelSceret'
$RefreshToken = 'SecureAppModelRefreshID'
######### Secrets #########
write-host "Creating credentials and tokens." -ForegroundColor Green

$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | Convertto-SecureString -AsPlainText -Force))
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal

write-host "Creating body to request Graph access for each client." -ForegroundColor Green
$body = @{
    'resource'      = 'https://graph.microsoft.com'
    'client_id'     = $ApplicationId
    'client_secret' = $ApplicationSecret
    'grant_type'    = "client_credentials"
    'scope'         = "openid"
}

write-host "Connecting to Office365 to get all tenants." -ForegroundColor Green
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$customers = Get-MsolPartnerContract -All
foreach ($Customer in $Customers) {

    $ClientToken = Invoke-RestMethod -Method post -Uri "https://login.microsoftonline.com/$($customer.tenantid)/oauth2/token" -Body $body -ErrorAction Stop
    $headers = @{ "Authorization" = "Bearer $($ClientToken.access_token)" }
    write-host "Looking for changed applications for $($customer.DefaultDomainName)" -ForegroundColor Green
    $ApplicationsURI = "https://graph.microsoft.com/beta/applications/delta/?`$deltaToken=latest"
    $URI = (Invoke-RestMethod -Uri $ApplicationsURI -Headers $Headers -Method Get -ContentType "application/json").'@odata.deltaLink'
    $Requests = do {
        $SingleReq = (Invoke-RestMethod -Uri $URI -Headers $Headers -Method Get -ContentType "application/json")
        $URI = $SingleReq.'@odata.nextLink'
        $singleReq.value
    } while ($URI)

if($Requests) {
    Write-Warning "Found modification in applications for $($customer.DefaultDomainName):"
$Requests
}
}

As always, Happy PowerShelling!

All blogs are posted under AGPL3.0 unless stated otherwise
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy