Overview ✨
When the Liongard Microsoft 365 Inspector runs in a GDAP or delegated multi-tenant configuration, Microsoft Entra may record Add delegated permission grant and Remove delegated permission grant events for the Liongard enterprise application. These entries are expected when they occur as a matched pair at the same time as an inspection run. If AV, EDR, SIEM, or identity security tooling alerts only on these verified Liongard-related add/remove events, the alert can be treated as expected activity and safely ignored.
This article explains why these Microsoft Entra audit log entries can appear, how to confirm they are related to the Liongard Microsoft 365 Inspector, and when further investigation is required.
Applies to
Liongard Microsoft 365 Inspector
Microsoft 365 tenants managed through Microsoft Partner Center and GDAP
Microsoft Entra audit logs
Security tools that monitor application consent, delegated permissions, or OAuth permission grants
What you may see
During or near a scheduled Microsoft 365 Inspector run, Microsoft Entra audit logs may show application permission activity similar to the following:
Add delegated permission grant
Remove delegated permission grant
These events may appear in the customer tenant being inspected and may repeat on the same cadence as the Microsoft 365 Inspector schedule. The default schedule for a newly configured Microsoft 365 Inspector is once per day unless the schedule is changed.
🦁 Expected pattern: The key indicator is a paired add/remove sequence for the Liongard enterprise application that occurs during the same time window as a Liongard Microsoft 365 Inspector run.
Why this happens
The Liongard Microsoft 365 Inspector uses Microsoft authentication to collect Microsoft 365 data through Microsoft APIs. In multi-tenant environments, the inspector uses a parent/child model:
The parent inspector is configured with Microsoft sign-in and the partner tenant information.
Customer tenants managed through GDAP are discovered as child inspectors.
Each child inspector runs against the applicable customer tenant.
Microsoft Partner Center and Microsoft Entra enforce the delegated access and consent requirements for the customer tenant.
When a child Microsoft 365 inspection runs, Microsoft establishes delegated authorization for the inspection session. Microsoft records that delegated access activity in Entra audit logs. As part of the same process, the delegated permission grant can be removed after the session is established or completed. This is why you may see both an add event and a remove event during the inspection window.
This does not mean that Liongard is creating a new permanent permission assignment in the tenant each time the inspector runs. It reflects the Microsoft delegated access and consent flow used for GDAP-based inspection.
Why security tools may alert
Many AV, EDR, SIEM, and identity security products monitor delegated permission grants because unauthorized application consent can be risky. Microsoft also documents Add delegated permission grant and Remove delegated permission grant as Microsoft Entra ApplicationManagement audit activities.
Because these event names are commonly associated with application consent activity, security tools may alert when they see them, even when the activity is expected and tied to a trusted inspection workflow. In this case, the events are expected when they match the Liongard Microsoft 365 Inspector run pattern.
⚠️ Important: Only suppress or ignore the verified Liongard-related paired events. Do not disable monitoring for all Microsoft Entra permission grant, consent, or application management activity.
How to confirm the activity is expected
Use the following checklist before treating the alert as expected activity.
Check | What to confirm | Expected result |
Inspector type | The tenant is inspected by the Liongard Microsoft 365 Inspector. | The Microsoft 365 Inspector is active for the affected tenant. |
Configuration | The environment uses GDAP or delegated multi-tenant inspection. | A parent inspector discovers or manages child customer tenants. |
Timing | The audit events occur during a scheduled or manually triggered inspector run. | The event time aligns with the inspection start time or inspection window. |
Event pattern | The audit log shows both Add delegated permission grant and Remove delegated permission grant. | The events appear as a close pair rather than as an isolated add event. |
Application | The event references the Liongard enterprise application or expected Liongard Microsoft 365 inspection activity. | The application is known and expected for Liongard Microsoft 365 inspection. |
Persistence | No unexpected standing delegated grant remains after the inspection window. | The session-related grant is removed. |
When the alert can be safely ignored
The alert can generally be treated as expected activity when all of the following are true:
The tenant is configured for Liongard Microsoft 365 inspection.
The inspection uses GDAP or delegated multi-tenant access.
The alert occurred during a scheduled or manual Microsoft 365 Inspector run.
The Microsoft Entra audit logs show a matching Add delegated permission grant and Remove delegated permission grant sequence.
The activity references the expected Liongard enterprise application or Microsoft 365 inspection workflow.
No unexpected persistent delegated permission grant remains after the run.
✅ Recommended action: If your security tool supports tuning, create a narrow exception for the verified Liongard Microsoft 365 Inspector add/remove delegated permission grant pattern. Keep all other Microsoft Entra consent and permission-change detections enabled.
When to investigate further
Do not ignore the alert if any of the following are true:
There is an Add delegated permission grant event without a corresponding remove event.
The event does not align with a Liongard Microsoft 365 Inspector run.
The event references an unfamiliar application, service principal, user, or actor.
The tenant is not configured for Liongard Microsoft 365 inspection.
A delegated grant or application permission remains in place unexpectedly.
The event includes additional consent activity that was not part of the normal inspection window.
Other suspicious identity signals are present, such as unusual sign-in location, risky user activity, or unexpected admin activity.
‼️ Escalate for review if the activity does not match the expected Liongard Microsoft 365 Inspector pattern. Unexpected or persistent permission changes should always be investigated.
What this is not
Not a Microsoft 365 Inspector failure. These logs can appear during normal inspection activity.
Not a permanent permission change by itself. The expected pattern includes both an add event and a remove event.
Not evidence of compromise by itself. The event must be reviewed in context with timing, application, actor, and persistence.
Not a reason to disable Entra consent monitoring. Consent and permission grant monitoring remains important for detecting unauthorized OAuth activity.
Administrator response
Open the alert in your AV, EDR, SIEM, or identity security tool.
Identify the Microsoft Entra audit event names and timestamps.
Confirm whether the Liongard Microsoft 365 Inspector ran during the same time window.
Review the Microsoft Entra audit logs for the paired Add delegated permission grant and Remove delegated permission grant events.
Confirm the activity references the expected Liongard enterprise application.
Confirm the delegated grant does not remain in place after the inspection window.
If all checks match, document the event as expected Liongard Microsoft 365 Inspector activity.
Optionally tune the security rule to reduce repeated false positive alerts for this specific verified pattern.
Frequently asked questions
Why do the events repeat?
Why do the events repeat?
The Microsoft 365 Inspector runs on a schedule. If the inspector runs daily, the delegated session activity may also appear daily. If the inspector is run manually, the same pattern may appear during the manual run window.
Does this mean Liongard keeps permanent access in the customer tenant?
Does this mean Liongard keeps permanent access in the customer tenant?
No. The expected event pattern includes removal of the delegated permission grant. This indicates session-related delegated access activity rather than a standing permission grant being newly retained after every run.
Should we create an EDR exclusion?
Should we create an EDR exclusion?
If the events are confirmed to be tied to the Liongard Microsoft 365 Inspector, use a narrow exception that matches the specific Liongard application, event names, and expected inspection timing. Do not create a broad exclusion for all delegated permission grants or all application consent events.
What if we only see the add event?
What if we only see the add event?
Investigate further. The expected pattern is a matched add/remove sequence. An isolated add event, an unfamiliar application, or activity outside the inspection window should be reviewed as a potential consent or permission change.
References ⭐️