This repository contains PowerShell scripts designed to mitigate the ConsentFix / OAuth authorization-code phishing technique targeting Microsoft Entra ID tenants.
The scripts implement Microsoft-recommended hardening by:
- Requiring explicit assignment to selected Microsoft first-party service principals
- Assigning access via a security group
- Preventing unassigned users from authenticating to vulnerable OAuth public-client apps (e.g. Azure CLI)
This approach significantly reduces tenant-wide exposure while preserving access for approved users.
ConsentFix is an identity phishing technique that abuses legitimate Microsoft OAuth flows for pre-consented first-party applications (such as Azure CLI and PowerShell). Users can be socially engineered into completing an OAuth sign-in and unknowingly providing an authorization code, which attackers can redeem for access tokens.
This is not a traditional CVE; it is an abuse of expected OAuth behavior combined with social engineering. Mitigation focuses on restricting which users are allowed to authenticate to these applications.
Purpose:
- Identifies whether target Microsoft first-party service principals exist in the tenant
- Reports whether
AppRoleAssignmentRequiredis enabled - Helps assess current exposure
Use when:
- You want a read-only assessment before making changes
Purpose:
- Creates a security group (if it does not already exist)
- Ensures service principals exist for specified Microsoft app IDs
- Sets
AppRoleAssignmentRequired = true - Assigns the security group to each service principal
This is the primary mitigation script.
Key behaviors:
- Reuses an existing group if the display name already exists
- Fails safely if multiple groups share the same name
- Validates the group is security-enabled
- Avoids duplicate app role assignments
Purpose:
- Lists which groups are assigned to each protected service principal
- Useful for validation, audits, and documentation
Purpose:
- Runs identify → (optional) enforce → validate in a single workflow
- Starts a transcript log for auditability
- Supports
-WhatIfand scoped app include/exclude options
All functionality is now implemented in a single script: EntraAppRole-AuthCodeFix.ps1.
Modes:
IdentifyEnforceValidateRunAll
Examples:
.\EntraAppRole-AuthCodeFix.ps1 -Mode Identify -ProfileName baseline-dev-tools
.\EntraAppRole-AuthCodeFix.ps1 -Mode Enforce -GroupDisplayName "Restricted-Microsoft-CLI-Access" -ProfileName baseline-dev-tools -WhatIf
.\EntraAppRole-AuthCodeFix.ps1 -Mode RunAll -GroupDisplayName "Restricted-Microsoft-CLI-Access" -ProfileName baseline-dev-tools -TranscriptThe legacy numbered scripts remain as compatibility wrappers and call the unified script.
All scripts now use AppTargets-AuthCodeFix.json as a single source of truth for target app IDs.
Built-in profiles:
baseline-dev-tools(default)strict-admin-only
Each script supports:
-ProfileName-IncludeAppIds-ExcludeAppIds
- PowerShell 7.x recommended
- Microsoft Graph PowerShell SDK installed
Install-Module Microsoft.Graph -Scope CurrentUser-
Account with one of the following roles:
- Global Administrator
- Privileged Role Administrator
The scripts request the following delegated permissions:
Application.ReadWrite.AllAppRoleAssignment.ReadWrite.AllGroup.ReadWrite.All
These permissions are required to:
- Modify service principals
- Assign app roles
- Create or read security groups
.\(3)Invoke-EntraAppRole-AuthCodeFix.ps1 -GroupDisplayName "Restricted-Microsoft-CLI-Access" -ProfileName baseline-dev-toolsDry-run with -WhatIf:
.\(3)Invoke-EntraAppRole-AuthCodeFix.ps1 -GroupDisplayName "Restricted-Microsoft-CLI-Access" -ProfileName baseline-dev-tools -WhatIf-
Assess current state
.\(0)Identify-EntraAppRole-AuthCodeFix.ps1
-
Apply mitigation (create/reuse group and restrict apps)
.\(1)CreateRestrict-EntraAppRole-AuthCodeFix.ps1 -GroupDisplayName "Restricted-Microsoft-CLI-Access"
-
Validate assignments
.\(2)List-EntraAppRole-RequiredGroups-AuthCodeFix.ps1
The mitigation targets commonly abused Microsoft first-party public-client apps, including:
- Microsoft Azure CLI
- Microsoft Azure PowerShell
- Visual Studio
- Visual Studio Code
- Microsoft Teams PowerShell Cmdlets
You can customize scope by selecting a profile and/or using -IncludeAppIds and -ExcludeAppIds.
- Do not assign this group broadly. Only users who genuinely need CLI/dev tooling should be members.
- Consider managing group membership via Privileged Identity Management (PIM).
- Restricting these apps may impact developers or administrators — test in a pilot tenant if possible.
- This mitigation does not remediate already-compromised accounts. Use standard incident response actions if compromise is suspected.
- The scripts are designed to be safe to re-run (idempotent where possible).
- Group lookup is performed by display name — ensure uniqueness.
- All Graph sessions are explicitly disconnected after execution.
These scripts are provided as-is. Review and test in your environment before production use. Ensure changes align with your organization’s security and access governance policies.
- Push Security – ConsentFix research https://pushsecurity.com/blog/consentfix
- Microsoft Entra ID documentation https://learn.microsoft.com/en-us/entra/identity/
- MSEndpointMgr ConsentFix Quick Fix https://msendpointmgr.com/2026/01/08/consentfix-quickfix/
Maintainers: Security / Identity Engineering