Control: 5.1.5.2 Ensure user consent to apps accessing company data on their behalf is not allowed
Description
Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully.
Attackers commonly use custom applications to trick users into granting them access to company data. Disabling future user consent operations setting mitigates this risk, and helps to reduce the threat-surface. If user consent is disabled previous consent grants will still be honored but all future consent operations must be performed by an administrator.
Remediation
To prohibit user consent to apps accessing company data on their behalf:
- Navigate to
Microsoft Entra admin center
https://entra.microsoft.com/. - Click to expand
Identity
>Applications
selectEnterprise applications.
- Under
Security
selectConsent and permissions
>User consent settings.
- Under
User consent for applications
selectDo not allow user consent.
- Click the
Save
option at the top of the window.
Default Value
UI - Allow user consent for apps.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v300_5_1_5_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v300_5_1_5_2 --share
SQL
This control uses a named query:
azuread_authorization_policy_accessing_company_data_not_allowed