Researchers Analyze ChatGPT OAuth Consent Risk

Red Canary's Threat Research team presents a 2025-12-02 Entra ID case study showing a ChatGPT third-party service principal granted Mail.Read and offline_access permissions for TestUser@ContosoCorp.onmicrosoft.com from IP 3.89.177.26. The benign-classified investigation outlines required Azure AuditLogs events, detection correlation by CorrelationId, and remediation steps, offering practical guidance for detecting and mitigating OAuth consent attacks across Microsoft Entra tenants.