Critical

Risky OAuth consent grants

Identifies OAuth consent grants with high permissions such as Mail.ReadWrite, Files.ReadWrite.All, or Directory.ReadWrite.All.

Category: Application Security
Default severity: Critical
Rule key: CHECK_APP_CONSENT_GRANTS
Last updated: February 20, 2026

How to fix it

Review OAuth consent grants with high permissions. Revoke grants that are no longer needed and implement admin consent workflow.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Application.Read.All
Directory.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →