Recent attacker activity made me think that access might have been gained through an OAuth app. Keeping an eye on app permissions is important. From a PowerShell perspective, it is reasonably straightforward to retrieve details of app permissions using the Microsoft Graph PowerShell SDK. Several methods are available to do the job.
Entra ID registered apps can authenticate using app secrets and certificates. These credentials expire over time, so it’s good to review app credential expiration dates periodically. This article explains how to use the Microsoft Graph PowerShell SDK to generate a report about app credential expiration dates to allow tenant administrators to manage registered apps a little better…
The preview app instance property lock feature designed to improve the security of Entra ID registered apps is becoming the default for new apps. In this article, we describe how to update the app instance property lock to reflect the new default setting using cmdlets from the Microsoft Graph PowerShell SDK, including a script you can download and run.