By Doug Bienstock (@doughsec)
A collection of scripts to help administrators hunt for malicious OAuth applications in cloud environments. Looks for granting of suspicious scopes, frequency of grants, and hopefully a whitelist/blacklist as time goes on.
Requires to be run as an Office 365 Global Admin. Queries the tenant for all OAuthPermission grants and filters them for suspicious entries.
-All
returns All OAuthPermissionGrants
-Scopes
A comma separated list of suspicious scopes to look for. Defaults to "offline_access"
-Threshold
The number of grants in a tenant below which an application is considered suspicious. This is filtered as an OR condition with the scopes parameter.
-Output
Outputs results to CSV
-OutputPath
Where to write the CSV