Review Consent Phishing Protection and Attack Simulation Policies in Microsoft 365

Consent phishing (also called illicit consent grant attacks) is a rapidly growing threat where attackers trick users into granting OAuth permissions to malicious applications — bypassing MFA entirely. Microsoft 365 provides two complementary defenses:

• User consent settings in Entra ID, which restrict when and how end users can grant permissions to third-party apps.
• Attack Simulation Training in Microsoft Defender for Office 365, which runs benign phishing campaigns against your users to measure and improve resilience.

This recipe walks you through auditing both configurations so you know exactly where they live, what state they are in, and whether your tenant is adequately protected.

Run this recipe during any of the following:

• Quarterly security posture reviews
• Incident response after a suspected consent phishing event
• Onboarding a new tenant or Defender P2 license
• Compliance audits (ISO 27001, SOC 2, NIST CSF)

After completing this recipe you will have:

• Documented the current authorizationPolicy and permission grant policy assignments for your tenant.
• Confirmed whether the admin consent workflow is enabled.
• A list of active, scheduled, and historical attack simulations (or confirmation that none exist).
• A clear understanding of where each setting is managed in the Entra admin center and the Microsoft Defender portal.
• Actionable recommendations for tightening consent controls and scheduling baseline phishing simulations.

Things to watch out for

• Do not tighten consent settings without communication. Moving from Allow user consent for verified publishers to Do not allow user consent can break legitimate apps that users have self-service onboarded (e.g., Zoom, Slack, Grammarly). Always enable the admin consent workflow first so users have a path to request access.
• Attack Simulation Training requires Microsoft Defender for Office 365 Plan 2 (included in M365 E5). If the Defender portal does not show the feature, verify licensing before assuming nothing is configured.
• Running a simulation without coordinating with HR and the help desk can trigger a flood of phishing reports and user anxiety. Always communicate the program (not the timing) in advance.
• The AttackSim.Read.All permission is required to enumerate simulations via Graph. A 204 response may mean either "no simulations exist" or insufficient permissions — verify both.
• Changes to the authorization policy apply tenant-wide and take effect within minutes. Test in a pilot group where possible using custom permission grant policies.