What OAuth does
OAuth 2.0 defines a framework for authorisation, allowing third-party applications to access protected resources on behalf of a user. It avoids sharing user credentials directly with these applications. The framework establishes distinct roles: resource owner (the user), client application (the requesting app), authorisation server (like Entra ID), and resource server (hosting the protected data). Different grant types, such as authorisation code with PKCE and client credentials, cater to various application needs. Access tokens provide temporary access, while refresh tokens allow for renewed access without re-authentication.
OAuth in Australian tenants today
Australian organisations utilising Microsoft 365 must carefully manage OAuth applications. Entra ID's consent management features are crucial for controlling which permissions applications request via Microsoft Graph. Administrators can pre-approve applications, while users can also grant consent, though this requires careful communication and training to avoid unintentional exposure. The Notifiable Data Breach scheme highlights the importance of monitoring OAuth applications for malicious activity, as compromised apps can lead to data breaches. Adherence to the Australian Voluntary AI Safety Standard also necessitates secure access controls, which OAuth helps facilitate.