C-AZ-APP-CONSENTPrivilege Escalation

Entra App Consent Phishing

Trick a privileged user into consenting to an OAuth app with Directory.ReadWrite.All / RoleManagement.ReadWrite — app gets persistent tenant access.

§ Where this technique fits

C-AZ-APP-CONSENT is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

Entra app consent phishing → Global Admin equivalent
Phish a privileged user to consent to an OAuth app requesting Directory.ReadWrite.All + RoleManagement.ReadWrite.Directory — the app then grants itself Global Administrator.
step 4 / 6

§ What commonly comes next

01
Azure RBAC Owner Assignment
C-AZ-RBAC-OWNER · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Entra app consent phishing → Global Admin equivalent

§ What commonly comes next