Skip to Content

How OAuth Consent Phishing Works in Microsoft Entra ID (No Password, No MFA Bypass)

15 April 2026 by
Jaspreet Singh

Introduction

Most organizations use Multi-Factor Authentication (MFA), which requires users to provide multiple forms of identification, as a primary defense against account compromise. (Inc., 2023) However, attackers increasingly target trusted authorization flows, which are processes used to grant applications limited access to user data, instead of stealing credentials.

OAuth consent phishing is a significant attack vector that targets user trust in authorization processes. (Protect against consent phishing, 2025)

To illustrate this, the following article draws on my lab experiment (EID-EXP-016) to show how OAuth consent phishing unfolds within Microsoft Entra ID—demonstrating specifically why MFA alone does not prevent this attack.

What is OAuth Consent Phishing?

OAuth consent phishing is an attack where a user is deceived into granting permissions to a malicious application. OAuth is an authorization framework that allows applications to access user data without requiring users to share their passwords. (What Is OAuth?, 2023)

Rather than stealing credentials, the attacker:

  • Creates a malicious application
  • Requests delegated permissions
  • Tricks the user into granting consent

Once consent is granted, the attacker accesses the Microsoft Graph API (an interface that allows programs to interact with Microsoft cloud resources) using valid tokens. (Protect against consent phishing, 2025)

Why MFA Does Not Stop This Attack

This attack leverages existing authentication; MFA is not bypassed.

Authentication flow:

  1. User clicks a consent link.
  2. User logs in normally
  3. MFA challenge is satisfied
  4. User grants application permissions.

At this point:

  • Authentication is successful (Protect against consent phishing, 2025)
  • Authorization is user-approved
  • The system trusts the application.

No anomaly is detected because the process follows legitimate authentication and authorization flows. (OAuth consent phishing explained and prevented, 2025)

Lab Overview (EID-EXP-016)In a controlled Microsoft Entra ID tenant, I simulated this attack using the following setup:

  • A registered application (“Finance Reports Viewer”)

  • Delegated Microsoft Graph permissions:

    • Mail.Read
    • Files.Read
    • User.Read
    • offline_access

A consent URL was generated and provided to a test user.

Attack Flow Breakdown

1. Malicious App Registration

The attacker registers an application in Entra ID and assigns delegated permissions to it.

Key risk:

  • Application names may appear legitimate
  • Permissions often do not raise immediate suspicion

2. Consent Link Delivery

The attacker sends a crafted OAuth authorization link to the target user.

Example components:

  • client_id
  • redirect_uri
  • scope (Mail.Read, Files.Read, offline_access)
  • prompt=consent

The link directs the user to the legitimate Microsoft login page. User Authentication and Consent

The user:

  • Authenticates successfully
  • Completes MFA
  • Clicks “Accept” on the consent screen.

Granting consent at this step completes the compromise.

4. Token Issuance and API Access

Once consent is granted:

  • Access tokens are issued.
  • Refresh tokens are granted (offline_access)

The attacker can now access Microsoft Graph API endpoints: /me/messages for reading emails.

  • /me/drive/root/children → Access files

5. Persistence via Refresh Tokens

The offline_access permission grants long-term access by allowing applications to use refresh tokens to access resources even when the user is not actively logged in. (ConsentFix OAuth Phishing Explained: How Token-Based Attacks Bypass MFA in Microsoft Entra ID, 2026)

Implications:

  • No need for repeated authentication
  • Access persists even if the user changes their password. (Protect against consent phishing - Microsoft Entra ID, 2025)

Detection Challenges

This attack is difficult to distinguish from normal activity:

  • Successful login events
  • Legitimate Microsoft endpoints
  • No failed authentication attempts

Detection requires monitoring:

  • Consent to new applications
  • Unusual service principals
  • Abnormal Graph API usage

Detection Strategy (Technical)

Entra ID Logs to Monitor:

  • Audit Logs

    • Activity: Consent to application

  • Sign-in Logs

    • Client App: Browser
    • Application ID anomalies

Indicators of Compromise:

  • Newly created enterprise applications
  • Apps with high-risk delegated permissions
  • Unfamiliar publisher or naming patterns

Mitigation and Hardening

1. Disable User Consent

  • Restrict users from granting app permissions.
  • Require admin approval (Security guidance - Protect identities and secrets - Microsoft Entra | Microsoft Learn, 2026)

2. Enable Admin Consent Workflow

  • Review and approve all applications. (Admin Consent Workflow for Applications Not Configured, 2023)

3. Monitor Application Activity

  • Track Graph API usage
  • Identify abnormal access patterns. (Protect against consent phishing - Microsoft Entra ID, 2025)

4. Apply Conditional Access (App Governance)

  • Limit risky applications
  • Enforce session controls (Developer guidance for Microsoft Entra Conditional Access, 2023)

Key Takeaways

  • MFA is not a complete defense against identity attacks
  • OAuth consent phishing abuses trust, not credentials.
  • Users become the authorization point.
  • Tokens provide persistent access without re-authentication

This makes OAuth-based attacks one of the most effective and stealthy techniques in modern cloud environments. (Protect against consent phishing - Microsoft Entra ID, 2025)

Final Thoughts

As identity becomes the primary security perimeter, organizations must shift their focus from authentication alone to include authorization and application governance.

If you are not monitoring OAuth application activity, your organization may already be at risk.

Related Evidence & Guidance

Full Hands-on Lab (F11)

Written by Jaspreet Singh — follow my work on LinkedIn 


References

(2024). Refresh tokens in the Microsoft identity platform. Microsoft Entra ID Documentation. https://docs.microsoft.com/en-us/entra/identity-platform/refresh-tokens

(2025). Protect against consent phishing - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/protect-against-consent-phishing

(2026). Security guidance - Protect identities and secrets - Microsoft Entra | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/entra/fundamentals/zero-trust-protect-identities

(October 24, 2023). Admin Consent Workflow for Applications Not Configured. Tenable. https://www.tenable.com/indicators/ioe/entra/ADMIN-CONSENT-WORKFLOW-FOR-APPLICATIONS-NOT-CONFIGURED

(2025). Protect against consent phishing - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/protect-against-consent-phishing

(2023). Developer guidance for Microsoft Entra Conditional Access. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity-platform/v2-conditional-access-dev-guide

Jaspreet Singh 15 April 2026
Share this post
Tags
Our blogs
EID-EXP-015: MFA Is Not Enough: A Technical Deep Dive into Session Persistence in Microsoft Entra ID