OAuth Consent Grants
Surface Security monitors and controls third-party application authorizations made via Microsoft sign-in, protecting your organization against one of the most effective account-takeover techniques in use today: OAuth consent phishing.
The threat: illicit consent grants
When an employee signs in with their Microsoft account, they sometimes see a consent screen asking them to allow a third-party app access to their mail, calendar, contacts, or files. Attackers craft malicious or over-privileged apps that look legitimate and target employees with these consent prompts.
Unlike credential phishing, the attacker never needs the employee's password. Once the employee clicks Accept, the app receives an access token that:
- Persists as long as the app is active — it does not expire with the session.
- Survives a password reset. Changing the employee's password does not revoke existing token grants.
- Gives the attacker ongoing, quiet access to read mail, download files, or access contacts — from any location, using the app's own sign-in.
Surface Security intercepts this attack at the consent screen, before the employee clicks Accept. It can warn the employee to think twice, or block the consent screen entirely, based on the permissions the app is requesting and the policies you configure.
The OAuth Consent Grants page
Navigate to Dashboard > OAuth > Consent Grants to see a complete inventory of every third-party app your employees have encountered via Microsoft sign-in.
Each row in the roster represents one app and shows:
| Column | What it tells you |
|---|---|
| App | Display name and application identifier |
| Publisher | Whether the app is a Microsoft first-party app, a Surface-verified app, or unverified |
| Scopes (risk) | A count of the permissions requested and their highest risk level |
| Risk | The overall risk rating for the app: Critical, High, Medium, or Low |
| Users | How many employees have encountered this app's consent prompt |
| Last seen | When the most recent consent event was recorded |
| Policy | Your current decision for the app: Allow, Warn, Block, or no decision yet |
The roster defaults to showing the highest-risk apps first.