Controlled OAuth Consent Flow A controlled app requests delegated permissions. The user sees a consent prompt. Entra creates a service principal and consent grant, then tokens can call Microsoft Graph within the granted scope. Controlled OAuth Consent Flow Teaching point: consent is an authorization event that creates durable objects defenders can review. 1. User sees prompt 2. Consent requested scopes 3. Entra ID records grant Graph delegated API Tenant-local objects to inspect Service Principal OAuth Grant Review who consented? which scopes? Class boundary: use a training tenant and controlled app. No real lure, no external target, no student submission.