turbot/microsoft365_compliance

Control: 2.7 Ensure the admin consent workflow is enabled

Description

Without an admin consent workflow (Preview), a user in a tenant where user consent is disabled will be blocked when they try to access any app that requires permissions to access organizational data. The user sees a generic error message that says they're unauthorized to access the app and they should ask their admin for help.

The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.

Remediation

To enable the admin consent workflow (Preview), use the Microsoft 365 Admin Center:

  1. Select Admin Centers and Azure Active Directory.
  2. Select Enterprise applications from the Azure Navigation pane.
  3. Under Manage select Users settings.
  4. Set Users can request admin consent to apps they are unable to consent to to Yes under Admin consent requests.
  5. Under the Reviewers choose the Roles, Groups that you would like to review user generated app consent requests.
  6. Select Save at the top of the window.

Default Value:

  • Users can request admin consent to apps they are unable to consent to: No.
  • Selected users to review admin consent requests: None.
  • Selected users will receive email notifications for requests: Yes.
  • Selected users will receive request expiration reminders: Yes.
  • Consent request expires after (days): 30

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_2_7 --share

SQL

This control uses a named query:

azuread_admin_consent_workflow_enabled

Tags