Spot check Granted OATH permissions. Attackers are utilizing malicious OATH grants for persistence.

GetGrantedOATHPerms.ps1

Get-AzureADServicePrincipal `
  -Filter "serviceprincipaltype eq 'Application'" -All $true -PipelineVariable sp `
  | Get-AzureADServicePrincipalOAuth2PermissionGrant `
    -top 1 `
    | select @{N="SPDisplayname";E={$sp.displayname}}, @{N="SPObjectid";E={$sp.objectid}}, consenttype, scope

#https://twitter.com/rootsecdev/status/1282640558025060354