Microsoft Graph API represents a massive attack surface for Microsoft 365 environments. A real-world finding exposed live OAuth client credentials in a public Postman workspace, granting silent access to 59,000 user records, group memberships, and Teams messages with no MFA or endpoint compromise required. The post covers three OAuth flows (Authorization Code, Client Credentials, Device Code), their distinct trust models, and how attackers exploit each. It details the most abused Graph endpoints including user enumeration, email access, OneDrive file access, service principal mapping, mail impersonation, and Conditional Access policy enumeration. Key defensive gaps include overlooked non-interactive sign-in logs, over-provisioned application permissions, and the absence of vulnerability disclosure programs at large enterprises. The core argument is that Graph-based attacks bypass traditional endpoint and MFA controls entirely — the token is the intrusion.
Table of contents
OAuth flows overviewAuthorization Code FlowClient Credentials FlowDevice Code FlowFlow Comparison at a GlanceWhat Is Microsoft Graph?Get Dzianis Skliar’s stories in your inboxThe Most Abused Graph EndpointsWhy Graph Changes the Post-Compromise CalculusConclusionSort: