Azure Active directory differentiates two types of permission for apps. The “on behalf of a user” permission and the “access without a user” permission. In my previous post I wrote about a script I created that lists apps that have access without a user being present. In this post I will focus on apps that users or admins have consented to.
From a security perspective I have mixed feeling about the delegated app consent. On the one hand it is better to know which apps users are using and to be able to allow them to login to theses apps using their corporate credentials. This allows the company to have some visibility. However you don't want users to consent to just any application the ability to read and write data to their inbox/calendar or one drive.
So it is imported to know which users have consented to which apps. As well make an informed decision on allowing or disallowing users to just consent to any random app. More information about that can be found here.
Just like in my previous post I wrote a script that lists all users, the apps they have given consent to and what they have consented to. You can find it on our GitHub page here.