Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 2.7 Ensure the admin consent workflow is enabled

Description

Without an admin consent workflow (Preview), a user in a tenant where user consent is disabled will be blocked when they try to access any app that requires permissions to access organizational data. The user sees a generic error message that says they're unauthorized to access the app and they should ask their admin for help.

The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.

Remediation

To enable the admin consent workflow (Preview), use the Microsoft 365 Admin Center:

  1. Select Admin Centers and Azure Active Directory.
  2. Select Enterprise applications from the Azure Navigation pane.
  3. Under Manage select Users settings.
  4. Set Users can request admin consent to apps they are unable to consent to to Yes under Admin consent requests.
  5. Under the Reviewers choose the Roles, Groups that you would like to review user generated app consent requests.
  6. Select Save at the top of the window.

Default Value:

  • Users can request admin consent to apps they are unable to consent to: No.
  • Selected users to review admin consent requests: None.
  • Selected users will receive email notifications for requests: Yes.
  • Selected users will receive request expiration reminders: Yes.
  • Consent request expires after (days): 30

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_2_7 --share

SQL

This control uses a named query:

select
  tenant_id || '/adminConsentRequestPolicy' as resource,
  case
    when is_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when is_enabled then tenant_id || ' has Admin Consent Workflow enabled.'
    else tenant_id || ' has Admin Consent Workflow disabled.'
  end as reason
  , tenant_id as tenant_id
from
  azuread_admin_consent_request_policy;

Tags

category = Compliance
cis = true
cis_item_id = 2.7
cis_level = 2
cis_section_id = 2
cis_type = automated
cis_version = v1.5.0
lmicrosoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory