Description
Allow users to provide consent for selected permissions when a request is coming from a verified publisher.
Rationaleβ
If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
Impactβ
Enforcing this setting may create additional requests that administrators need to review.
Auditβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID. - Under
Manage, selectEnterprise applications. - Under
Security, selectConsent and permissions. - Under
Manage, selectUser consent settings. - Under
User consent for applications, ensureAllow user consent for apps from verified publishers, for selected permissionsis selected.
From PowerShellβ
Connect-MgGraph (Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object -ExpandProperty PermissionGrantPoliciesAssigned
The command should return either ManagePermissionGrantsForSelf.microsoft-user-default-low or a custom app consent policy id if one is in use.
Default Valueβ
By default, User consent for applications is set to Allow user consent for apps.
Referencesβ
- https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=ms-graph#configure-user-consent-to-applications
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy
- https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/get-mgpolicyauthorizationpolicy?view=graph-powershell-1.0