Why Disabling User Consent in Microsoft365 Is Critical for Preventing Data Breaches
In the world of cloud security, one small setting can open the door to major breaches. One such setting in Microsoft 365—User Consent for Applications—has become a growing target for cybercriminals looking to exploit businesses through social engineering and OAuth abuse.
At Mile High Cyber, we help businesses proactively identify these risks before they become incidents. One of our top recommendations: disable user consent for third-party applications unless absolutely necessary.
What Is “User Consent” in Microsoft 365?
By default, Microsoft 365 tenants may allow individual users to consent to third-party applications accessing organizational data via Microsoft Graph API. This means a user can click “Allow” on a seemingly harmless prompt and grant an app access to:
Their mailbox
Calendar
Contacts
OneDrive files
Microsoft Teams messages
And even broader permissions like “read/write access to all users in the directory”
This behavior is governed by the User Consent for Applications setting under Azure AD / Entra ID Enterprise Applications > User Settings.
The Problem: Phishing Meets OAuth Abuse
Threat actors are now combining phishing tactics with malicious apps to gain persistent, legitimate access to corporate M365 data—without triggering traditional login alerts or MFA challenges.
Once a user is tricked into consenting, the attacker gets a valid OAuth token and can:
Read or exfiltrate emails
Steal files from SharePoint and OneDrive
Maintain access via token refresh—even after the user resets their password
Impersonate users in Teams or Outlook for internal phishing
Real-World Example: Midnight Blizzard’s OAuth Exploits
In 2023 and 2024, Microsoft attributed attacks to the Russian threat group Midnight Blizzard (also known as Nobelium), who used malicious OAuth applications to infiltrate M365 tenants. These campaigns involved:
Crafting deceptive apps and presenting them as legitimate productivity tools
Convincing users to approve permissions like
Mail.ReadorFiles.Read.AllPersisting access through these tokens even as defenders hunted for compromised accounts
This type of abuse flew under the radar of many traditional security tools because no password was stolen, and no MFA was bypassed—users willingly granted the access.
The Solution: Disable User Consent by Default
M365 admins can and should disable user consent unless it's strictly necessary. Instead, implement a workflow for admin-reviewed app consent, allowing your IT or security team to vet each integration before it's approved.
To disable user consent:
Go to Microsoft Entra Admin Center (formerly Azure AD)
Search for User Consent Settings
Choose:
Do not allow user consent
or Allow user consent for app from verified publishers (more risky)
Or configure admin consent workflow
This simple change closes the door on a highly effective phishing and persistence technique.
Recommended Security Practices
Disable user consent globally, and implement admin approval workflows
Review existing Enterprise Applications for suspicious or unused consents
Audit sign-ins and app registrations for unusual behavior
Use Microsoft Defender for Cloud Apps or similar CASB tools to monitor OAuth activity
Train users to be suspicious of application permission prompts, not just email links
Final Thoughts
Attackers are evolving. They're no longer just stealing credentials—they're asking users to hand over the keys willingly. At Mile High Cyber, we help organizations take a proactive stance against these kinds of threats. Disabling user consent is a critical step toward closing off this often-overlooked attack vector.
If your organization hasn’t reviewed its M365 user consent policies recently, now is the time. Contact us today to schedule a security assessment or Microsoft 365 hardening review.