Control: 5.1.5.1 Ensure user consent to apps accessing company data on their behalf is not allowed
Description
Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully.
Remediation
To remediate using the UI:
- Navigate to
Microsoft Entra admin centerhttps://entra.microsoft.com/. - Click to expand
Identity>ApplicationsselectEnterprise applications. - Under
SecurityselectConsent and permissions > User consent settings. - Under
User consent for applicationsselectDo not allow user consent. - Click the
Saveoption at the top of the window.
Default Value
UI - Allow user consent for apps
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_5_1_5_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_5_1_5_1 --shareSQL
This control uses a named query:
select tenant_id || '/' || id as resource, case when jsonb_array_length(default_user_role_permissions -> 'permissionGrantPoliciesAssigned') = 0 then 'ok' else 'alarm' end as status, case when jsonb_array_length(default_user_role_permissions -> 'permissionGrantPoliciesAssigned') = 0 then tenant_id || ' which is ' || lower(split_part(description, '.', 1)) || ' does not have Permission Grant Policies assigned.' else tenant_id || ' which is ' || lower(split_part(description, '.', 1)) || ' have Permission Grant Policies assigned.' end as reason , tenant_id as tenant_idfrom azuread_authorization_policy;