This event is raised whenever Office Protects detects a change in an application's permissions.

Hackers may attempt to silently gain access to sensitive information or carry out malicious activities by escalating an application's permissions. Removing permissions can also block critical business or security applications from accessing necessary data. 

All application permissions should be closely monitored to ensure that they align with legitimate needs and do not put your organization at risk.


Remediation


Review who performed the adding/removal action (detailed in the event description), and consider blocking the user if the action was unexpected (you can find all other Office Protect events related to a user in the Report section).

You can manage applications' permissions in your Entra ID admin portal (under the Applications section). 

To prevent unwanted privilege escalation, it is recommended to frequently review the permissions granted to applications and revoke any unexpected or unnecessary ones, or remove the application from your organization.


Operations to look for in the unified audit logs:


  • Add app role assignment to service principal.
  • Remove app role assignment from service principal.


Review and revoke permissions in Entra ID: 

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-application-permissions