This detection rule identifies instances where an administrator grants consent to applications within an Azure Active Directory (Azure AD) and Office 365 tenant, utilizing O365 audit logs. Admin consent is critical because it permits applications to access extensive data across the tenant, which can potentially result in significant data exposure. The rule captures events related to admin consent actions, specifically focusing on cases where consent is extended to all principals, indicating that any user within the tenant can be affected. If such an action is maliciously exploited, an attacker could secure extensive and ongoing access to sensitive organizational data, posing risks of data exfiltration, espionage, or broader malicious activities, thus prompting compliance issues. The rule facilitates potential forensic analyses and responses to suspicious admin consent activities, reinforcing the need for vigilant monitoring of administrative actions in the cloud environment.