Status: Scaffold — content in progress
OAuth 2.0 is an authorization framework that allows a client to obtain limited access to a resource on behalf of a user. In Entra ID, OAuth2 is the foundation for all Microsoft 365 API access and third-party app integrations.
Grant Types (Flows)
| Flow | Use Case | Attack Risk |
|---|
| Authorization Code | Web apps (with PKCE for SPA/mobile) | Redirect URI abuse, token interception |
| Client Credentials | Service-to-service (no user) | Secret/certificate theft → impersonate app |
| Device Code | Devices without browsers | Device code phishing |
| Implicit | Deprecated; browser-based | Token leakage in URL fragment |
| Resource Owner Password | Legacy; not recommended | Phishing to collect credentials directly |
Tokens
| Token | Lifetime | Contents |
|---|
| Access Token | 60–90 min | Scopes, user claims, audience |
| Refresh Token | 90 days (configurable) | Used to get new access tokens |
| ID Token | Short | Identity claims (OIDC) |
Key Attack Insight: Stealing a refresh token gives attacker persistent access that survives password resets until the token expires or is revoked.
Scopes and Permissions
| Type | Defined By | Examples |
|---|
| Delegated permissions | App + user | User.Read, Mail.ReadWrite |
| Application permissions | App only (no user) | Mail.Read for all users in tenant |
Illicit Consent Grant exploits the consent mechanism: attacker creates a malicious app, phishes a victim to consent to broad permissions (e.g., Mail.ReadWrite), then accesses data via the app's delegated permissions.
Telemetry
| Log | Signal |
|---|
| Entra Sign-in logs | OAuth flow used, client app ID, resource, scopes |
| Entra Audit logs | App consent events, permission grants |
| Microsoft 365 Unified Audit Log | OAuth token usage by app |
Cross-Links