π Microsoft Entra ID User Consent For Applications is not set to Do Not Allow User Consent π’
- Contextual name: π User Consent For Applications is not set to Do Not Allow User Consent π’
- ID:
/ce/ca/azure/microsoft-entra-id/do-not-allow-user-consent-for-applications - Located in: π Microsoft Entra ID
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Descriptionβ
Descriptionβ
Require administrators to provide consent for applications before use.
Rationaleβ
If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
Impactβ
Enforcing this setting may create additional requests that administrators need to review.
Auditβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID.- Under
Manage, selectEnterprise applications.- Under
Security, selectConsent and permissions.- Under
Manage, selectUser consent settings.- Ensure
User consent for applicationsis set toDo not allow user consent.From PowerShellβ
Connect-MgGraph (Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object -ExpandProperty PermissionGrantPoliciesAssignedIf the command returns no values in response, the configuration complies with the recommendation.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID.- Under
Manage, selectEnterprise applications.- Under
Security, selectConsent and permissions.- Under
Manage, selectUser consent settings.- Set
User consent for applicationstoDo not allow user consent.- Click
Save.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v2.1.0 β πΌ 1.10 Ensure 'User consent for applications' is set to 'Do not allow user consent' - Level 1 (Manual) | 1 | |||
| πΌ CIS Azure v3.0.0 β πΌ 2.12 Ensure 'User consent for applications' is set to 'Do not allow user consent' (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ User Account Management | 14 |