🚀 𝗢𝗜𝗗-𝗦𝗲𝗲 𝘃𝟭.𝟬.𝟭 𝗶𝘀 𝗼𝘂𝘁 — a small release with sharper edges.

This one is all about 𝗽𝗿𝗲𝗰𝗶𝘀𝗶𝗼𝗻 𝗼𝘃𝗲𝗿 𝗻𝗼𝗶𝘀𝗲.

No new dashboards.
No shiny features.
Just tighter logic and risk scoring that better reflects how Entra 𝘢𝘤𝘵𝘶𝘢𝘭𝘭𝘺 behaves in real tenants.

What changed in v1.0.1:
🔧 App role assignment risk fixed (assignment count ≠ risk)
👤 “No owners” reframed as 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲, not security
🎭 Deception logic gated and smarter — fewer false positives, stronger signals

If you’re using OID-See to support:
• identity risk assessments
• app governance conversations
• Conditional Access strategy
• explaining 𝘸𝘩𝘺 something is risky (or isn’t)

…this release should feel noticeably calmer and more trustworthy.

📖 Blog post:
https://cirriustech.co.uk/blog/oid-see-v1.0.1/

🏷️ Release notes:
https://github.com/OID-See/OID-See/releases/tag/v1.0.1

Feedback welcome - especially the “yeah but…” kind.
Because tools should get better the more they’re used, not louder.

#OIDSee #EntraID #IdentitySecurity #OAuth #AppGovernance #OpenSource

🚨 New research & tool release: OID-See - Giving Your OAuth Apps the Side-Eye

OAuth risk in Entra isn’t a table problem.
It’s a relationship problem.

After spending far too long staring at consent screens, Graph responses, and metadata that technically tells the truth while still being wildly misleading, I ended up building something I couldn’t find anywhere else:

OID-See - essentially BloodHound for OAuth in Entra.

It maps:
• OAuth apps & service principals
• Delegated scopes and app permissions
• Consent, assignments, and reachability
• Trust signals (and trust illusions)
• Persistence and impersonation paths

…into a graph-backed analysis model that lets you reason about what an app can actually become when chained, not just whether it looks risky in isolation.

Why this exists

I kept running into the same issues:
• “Verified publisher” isn’t always the signal we think it is
• Microsoft-shaped metadata can lull defenders into false trust
• offline_access ≠ impersonation, but does equal persistence
• Apps without assignment requirements are exposed by default
• Spreadsheets hide abuse paths - graphs expose them

So I stopped trying to answer “is this app bad?”
and started asking “what does this enable if it’s abused?”

What OID-See is (and isn’t)

✅ Graph-only by default (no token scraping, no SaaS, no data exfil)
✅ You run it yourself, get a JSON, analyse it locally
✅ Explainable scoring, externalised logic, no magic
❌ Not a CSPM replacement
❌ Not an EDR, SWG, or token replay tool

It’s about clarity, not control theatre.

📖 Blog (deep dive, philosophy, and war stories):
👉 https://cirriustech.co.uk/blog/oidsee/

🧰 Tool & source (v1.0.0):
👉 https://github.com/OID-See/OID-See/tree/v1.0.0

If you’re an Entra admin, cloud security engineer, or anyone who’s ever said
“it’s just a harmless SSO integration” - this one’s for you.

And yes… the name is intentional.
You probably should be giving your OAuth apps the side-eye. 👀

#Entra #AzureAD #OAuth #OIDC #IdentitySecurity #SecurityResearch #AttackSurface #Graph #BloodHound #OIDSee