Control: 5.13 Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'
Description
Allow users to provide consent for selected permissions when a request is coming from a verified publisher.
If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
Remediation
Remediate from Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Entra ID. - Under
Manage, selectEnterprise applications. - Under
Security,selectConsent and permissions. - Under
Manage, selectUser consent settings. - Under
User consent for applications, selectAllow user consent for apps from verified publishers, for selected permissions. - Click
Save.
Default Value
By default, User consent for applications is set to Allow user consent for apps.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_5_13Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_5_13 --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select p.id as resource, case when (p.default_user_role_permissions -> 'permissionGrantPoliciesAssigned')::jsonb @> '["ManagePermissionGrantsForSelf.microsoft-user-default-low"]'::jsonb then 'ok' else 'alarm' end as status, case when (p.default_user_role_permissions -> 'permissionGrantPoliciesAssigned')::jsonb @> '["ManagePermissionGrantsForSelf.microsoft-user-default-low"]'::jsonb then p.display_name || ' user consent limited to verified publishers for selected permissions.' else p.display_name || ' user consent policy not set to verified publishers (LOW).' end as reason, t.tenant_id from distinct_tenant t join azuread_authorization_policy p on p.tenant_id = t.tenant_id;