Control: 2.1 Ensure the admin consent workflow is enabled

Description

The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.

The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.

Remediation

To enable the admin consent workflow, use the Microsoft 365 Admin Center:

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
2. Click to expand Azure Active Directory > Applications select Enterprise applications.
3. Under Security select Consent and permissions.
4. Under Manage select Admin consent settings.
5. Set Users can request admin consent to apps they are unable to consent to to Yes under Admin consent requests.
6. Under the Reviewers choose the Roles and Groups that will review user generated app consent requests.
7. Set Selected users will receive email notifications for requests to Yes.
8. Select Save at the top of the window.

Default Value:

• Users can request admin consent to apps they are unable to consent to: No.
• Selected users to review admin consent requests: None.
• Selected users will receive email notifications for requests: Yes.
• Selected users will receive request expiration reminders: Yes.
• Consent request expires after (days): 30.