Tech

[Question] Office 365 Oauth2 Access auditing identify objectID

Hi,

I have one complicated question not sure anyone can help me here. Still I am asking and hoping someone could shade the light on this. I’m looking for a way to easily review this information for hundreds of tenants. I’m looking for a way to convert the output of Get-AzureADOAuth2PermissionGrant into something human readable. (At least flagging on ones that require investigation.) In this output, PrincipalID is the user and can be decoded by looking at the values from Get-AzureADUser .

Using MFA/Moden Auth with Outlook requires Oauth2 to be enabled at the tenant level, but this in turns opens up tenants to malicious Oauth2 apps maintaining access to an account.

The ClientID value can be decoded by referencing Get-AzureADServicePrincipal .

I’m not exactly sure how to identify ObjectID (or even if this matters). There is also the command Get-AzureADApplication , but where I tested it, this returned nothing. Additionally, I’m hoping that there is a way to identify 3rd party apps vs ones Microsoft provides directly. Is that by chance the difference between Get-AzureADServicePrincipal and Get-AzureADApplication ?

I haven’t dealt too much with AzureAD and powershell, so there are most likely things I am missing.

Also, if someone knows of a script that does this already and can point it out to me, I’d be grateful.