Control: Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
Description
Allow users to provide consent for selected permissions when a request is coming from a verified publisher.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.ad_authorization_policy_user_consent_verified_publishers_selected_permissionsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.ad_authorization_policy_user_consent_verified_publishers_selected_permissions --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select p.id as resource, case when (p.default_user_role_permissions -> 'permissionGrantPoliciesAssigned')::jsonb @> '["ManagePermissionGrantsForSelf.microsoft-user-default-low"]'::jsonb then 'ok' else 'alarm' end as status, case when (p.default_user_role_permissions -> 'permissionGrantPoliciesAssigned')::jsonb @> '["ManagePermissionGrantsForSelf.microsoft-user-default-low"]'::jsonb then p.display_name || ' user consent limited to verified publishers for selected permissions.' else p.display_name || ' user consent policy not set to verified publishers (LOW).' end as reason, t.tenant_id from distinct_tenant t join azuread_authorization_policy p on p.tenant_id = t.tenant_id;