Protecting against Malicious Azure AD Applications (Part 2: Investigating using MCAS)

In a previous post, I detailed the importance of controlling Azure AD OAuth Applications and consent within your environment. I also looked at how we can add approval for OAuth app requests so that each app can be vetted by an admin before consent is granted. With controls and governance in place, it’s important to ensure that apps which have been added can be monitored over time and alerted / reported on. Out of the box, there is a lot of work to classify and verify all OAuth apps however, if you have licensing for Microsoft Cloud App Security (MCAS), this process becomes very easy.

MCAS allows you to leverage Microsofts pre-created policies to monitor and alert upon apps as they are added, and also to view a breakdown of the permissions and authorizations associated with each app. You can also directly grant or block apps from within MCAS to allow easy remediation. In this post, I’ll go through the relevant areas in the MCAS portal and how we can react to apps which have been registered within the environment.

OAuth App Policies

Withing the “Control” -> “Policies” section of the Cloud App Security Portal and filtering by the policy type “OAuth app anomaly detection” will present the list of pre-created policies shown in Figure 1.

Figure 1: OAuth app anomaly detection policies

Using these pre-created policies, we can alert on, or react to the different conditions specified. For instance, the “Malicious OAuth app consent” policy will be triggered when Microsoft Threat Intelligence detects a potentially malicious app has been connected. Opening this policy shows us some options around how we can automate alerting or even response based on this policy being triggered as shown in Figure 2.

Figure 2: Modifying a policy to alert / react to an event

Within the chosen policy, we can perform several actions:

  1. Trigger an email alert
  2. Trigger a Power Automate Playbook to take a specific response
  3. Automatically revoke the consent to the app

Using the built in policies we can customize the actions that are taken when certain criteria are met, however we can also create a custom policy to target specific criteria such as particular permissions as shown in Figure 3.

Figure 3: Custom Policy to detect specific OAuth app permissions

Custom policies can also be assigned actions as with the pre-created policies.

Manage OAuth Apps within MCAS

Aside from policies to alert and respond to apps, MCAS also lets us assess the apps that are in place in the tenancy via the “Manage OAuth Apps” functionality. By navigating to “Investigate” -> “OAuth Apps” we can see a full list of the apps that have been added in the environment (Figure 4).

Figure 4: View OAuth apps in MCAS

From here, we can see a huge amount of detail about each app including who authorized the app, the level and breakdown of permissions assigned and recent activity. We can even drill down into more information about the app and publisher as shown in Figure 5 and 6.

Figure 5: Viewing details of a connected app

Finally, after reviewing the apps listed, we can use the app actions to easily approve or ban the app in our environment. Banning the app will disable and remove permissions from the app preventing it from connecting to user data.


MCAS is a fantastic tool for a lot of reasons. As I detailed in the pervious post, malicious OAuth apps can be a real threat within Office 365 / Azure AD so it is extremely important to have both a process for both legitimate and malicious apps in the environment. MCAS brings this together nicely. In my next post I’ll take a look at the new MCAS App Governance features to see how they extend and improve upon the protections already available.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s