v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub

Control: 5.1.5.3 Ensure the admin consent workflow is enabled

Description

Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully.

Attackers commonly use custom applications to trick users into granting them access to company data. Disabling future user consent operations setting mitigates this risk, and helps to reduce the threat-surface. If user consent is disabled previous consent grants will still be honored but all future consent operations must be performed by an administrator.

Remediation

To prohibit user consent to apps accessing company data on their behalf:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Identity > Applications select Enterprise applications.
  3. Under Security select Consent and permissions > User consent settings.
  4. Under User consent for applications select Do not allow user consent.
  5. Click the Save option at the top of the window.

Default Value

UI - Allow user consent for apps.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v300_5_1_5_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v300_5_1_5_3 --share

SQL

This control uses a named query:

azuread_admin_consent_workflow_enabled

Tags

category = Compliance
cis = true
cis_item_id = 5.1.5.3
cis_level = 1
cis_section_id = 5.1.5
cis_type = manual
cis_version = v3.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory