Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detecting Malicious Entra OAuth Apps with LLM-Based Permission Risk Scoring

Ashim Mahara

TL;DR

This paper tackles the risk of malicious OAuth consent and app registrations in Microsoft Entra ID by proposing a permission-centric detection framework. It builds a comprehensive corpus of Microsoft Graph permissions and assigns LLM-generated risk scores to each permission, enabling deterministic aggregation into per-app risk; these scores feed a real-time detection pipeline with explainable rationale traces. The authors release a public dataset covering 769 permissions across eight open-source LLMs, plus open-source code for a tenant-oriented detector that emits alerts and stores state for longitudinal analysis. The framework supports continuous monitoring of OAuth grants and app roles, leveraging floors, caps, synergy, and spike logic to detect abrupt privilege escalations. The work demonstrates that a permission-first approach can meaningfully identify over-privileged or rogue apps in Entra ID without requiring complete app descriptions, with practical implications for enterprise cloud security.

Abstract

This project presents a unified detection framework that constructs a complete corpus of Microsoft Graph permissions, generates consistent LLM-based risk scores, and integrates them into a real-time detection engine to identify malicious OAuth consent activity.

Detecting Malicious Entra OAuth Apps with LLM-Based Permission Risk Scoring

TL;DR

This paper tackles the risk of malicious OAuth consent and app registrations in Microsoft Entra ID by proposing a permission-centric detection framework. It builds a comprehensive corpus of Microsoft Graph permissions and assigns LLM-generated risk scores to each permission, enabling deterministic aggregation into per-app risk; these scores feed a real-time detection pipeline with explainable rationale traces. The authors release a public dataset covering 769 permissions across eight open-source LLMs, plus open-source code for a tenant-oriented detector that emits alerts and stores state for longitudinal analysis. The framework supports continuous monitoring of OAuth grants and app roles, leveraging floors, caps, synergy, and spike logic to detect abrupt privilege escalations. The work demonstrates that a permission-first approach can meaningfully identify over-privileged or rogue apps in Entra ID without requiring complete app descriptions, with practical implications for enterprise cloud security.

Abstract

This project presents a unified detection framework that constructs a complete corpus of Microsoft Graph permissions, generates consistent LLM-based risk scores, and integrates them into a real-time detection engine to identify malicious OAuth consent activity.

Paper Structure

This paper contains 63 sections, 6 equations, 21 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Motivation
  3. Key Contributions
  4. Background
  5. Open Authentication (OAuth) Authorization Framework
  6. OAuth Workflow
  7. Authorization Codes and Access Tokens
  8. OAuth 2.0 Implementation in Microsoft Entra ID
  9. Resource Permissions in Entra ID
  10. LLMs in Cybersecurity
  11. Related Work
  12. Threat Models and Advanced Attacks
  13. Consent Phishing
  14. Threat Vector within Entra ID
  15. Malicious Application Registration
  16. ...and 48 more sections

Figures (21)

  • Figure 1: OAuth Protocol Flow
  • Figure 2: OAuth2 Authorization Code Flow with Refresh Token (Microsoft Identity Platform OwenRichards1
  • Figure 3: Rogue Application Detection Framework
  • Figure 4: Detection Pipeline Overview
  • Figure 5: Standard Deviation of Scores
  • ...and 16 more figures