Control: 2.7 Ensure the admin consent workflow is enabled
Description
Without an admin consent workflow (Preview), a user in a tenant where user consent is disabled will be blocked when they try to access any app that requires permissions to access organizational data. The user sees a generic error message that says they're unauthorized to access the app and they should ask their admin for help.
The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.
Remediation
To enable the admin consent workflow (Preview), use the Microsoft 365 Admin Center:
- Select
Admin Centers
andAzure Active Directory
. - Select
Enterprise applications
from the Azure Navigation pane. - Under
Manage
selectUsers settings
. - Set
Users can request admin consent to apps they are unable to consent to
toYes
underAdmin consent requests
. - Under the
Reviewers
choose the Roles, Groups that you would like to review user generated app consent requests. - Select
Save
at the top of the window.
Default Value:
- Users can request admin consent to apps they are unable to consent to: No.
- Selected users to review admin consent requests: None.
- Selected users will receive email notifications for requests: Yes.
- Selected users will receive request expiration reminders: Yes.
- Consent request expires after (days): 30.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v140_2_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v140_2_7 --share
SQL
This control uses a named query:
azuread_admin_consent_workflow_enabled