Control: 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
Description
Allow users to provide consent for selected permissions when a request is coming from a verified publisher.
If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Azure Active Directory
. - Select
Enterprise Applications
. - Select
Consent and permissions
. - Select
User consent settings
. - Under
User consent for applications
, selectAllow user consent for apps from verified publishers, for selected permissions
. - Select
Save
.
From PowerShell
Connect-MsolServiceSet-MsolCompanyInformation --UsersPermissionToUserConsentToAppEnabled $False
Default Value
By default, User consent for applications
is set to Allow user consent for apps
.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_1_12
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_1_12 --share
SQL
This control uses a named query:
ad_manual_control