LoFP LoFP / t1528

t1528

TitleTags
administrative or automated tasks that involve accessing microsoft graph api using the specified client application id and tenant id, such as provisioning or managing resources.
authorized third-party applications or services that use the specified client application id to access microsoft graph api resources for legitimate purposes.
false positives may occur if users are granting consents as part of legitimate application integrations or setups. it is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.
in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.
legitimate device registrations using microsoft authentication broker may occur during corporate enrollment scenarios or bulk provisioning, but it is uncommon for multiple source ips to register the same identity across microsoft graph, device registration service (drs), and azure active directory (aad) in a short time span.
microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.
oauth applications that require file permissions may be legitimate, investigate and filter as needed.
oauth applications that require mail permissions may be legitimate, investigate and filter as needed.
this detection is low-volume and is seen infrequently in most organizations. when this detection appears it's high risk, and users should be remediated.
unknown
unlikely
update_known_false_positives
users authenticating from multiple devices and using the devicecode protocol or the visual studio code client.
users legitimately accessing microsoft graph api using the specified client application id and tenant id. this may include authorized applications or services that interact with microsoft graph on behalf of users.
users may deny consent for legitimate applications by mistake, filter as needed.
we recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
when and administrator is making legitimate uri configuration changes to an application. this should be a planned event.
when the permission is legitimately needed for the app