Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 5.1.5.2 Ensure user consent to apps accessing company data on their behalf is not allowed

Description

The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.

The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.

Remediation

To remediate using the UI:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Identity > Applications select Enterprise applications.
  3. Under Security select Consent and permissions.
  4. Under Manage select Admin consent settings.
  5. Set Users can request admin consent to apps they are unable to consent to​ to Yes under Admin consent requests.
  6. Under the Reviewers choose the Roles and Groups that will review user generated app consent requests.
  7. Set Selected users will receive email notifications for requests to Yes.
  8. Select Save at the top of the window.

Default Value

'- Users can request admin consent to apps they are unable to consent to: No

  • Selected users to review admin consent requests: None
  • Selected users will receive email notifications for requests: Yes
  • Selected users will receive request expiration reminders: Yes
  • Consent request expires after (days): 30.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v400_5_1_5_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v400_5_1_5_2 --share

SQL

This control uses a named query:

select
  tenant_id || '/' || id as resource,
  case
    when jsonb_array_length(default_user_role_permissions -> 'permissionGrantPoliciesAssigned') = 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when jsonb_array_length(default_user_role_permissions -> 'permissionGrantPoliciesAssigned') = 0 then tenant_id || ' which is ' || lower(split_part(description, '.', 1)) || ' does not have Permission Grant Policies assigned.'
    else tenant_id || ' which is ' || lower(split_part(description, '.', 1)) || ' have Permission Grant Policies assigned.'
  end as reason
  , tenant_id as tenant_id
from
  azuread_authorization_policy;

Tags

category = Compliance
cis = true
cis_item_id = 5.1.5.2
cis_level = 2
cis_section_id = 5.1.5
cis_type = manual
cis_version = v4.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory