Microsoft Entra ID OAuth Phishing and Detections

## Executive Summary This report analyzes OAuth phishing campaigns against Microsoft Entra ID (Azure AD), reproducing Volexity-observed techniques that abuse first‑party Microsoft apps and ROADtools to harvest tokens, register virtual devices, and mint Primary Refresh Tokens (PRTs) for persistent, stealthy access to Microsoft 365 resources; it documents two emulated scenarios (VSCode-based Graph access and Microsoft Authentication Broker-based device registration), provides telemetry and high-fidelity detection rules, and recommends log-correlation and SIEM detections to surface token abuse and device-registration driven compromises.