Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Douglas Bienstock
Latest commit 742a384 May 21, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit May 21, 2018 Update May 21, 2018
get-suspiciousoauth.ps1 csv output May 21, 2018


By Doug Bienstock (@doughsec)

A collection of scripts to help administrators hunt for malicious OAuth applications in cloud environments. Looks for granting of suspicious scopes, frequency of grants, and hopefully a whitelist/blacklist as time goes on.



Requires to be run as an Office 365 Global Admin. Queries the tenant for all OAuthPermission grants and filters them for suspicious entries.


-All returns All OAuthPermissionGrants

-Scopes A comma separated list of suspicious scopes to look for. Defaults to "offline_access"

-Threshold The number of grants in a tenant below which an application is considered suspicious. This is filtered as an OR condition with the scopes parameter.

-Output Outputs results to CSV

-OutputPath Where to write the CSV

You can’t perform that action at this time.