Audit logs hold lots of information, including records for when Azure AD consent permission grants happen. Checking the audit data can detect illicit grants. Records are in the Azure AD audit log and are also ingested into the Office 365 (unified) audit log, so there’s two places to check. The audit data is interesting and could help administrators work out if a permission grant is illicit. But only if checks are made and people review the reports.