Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 2.1 Ensure the admin consent workflow is enabled

Description

The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.

The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.

Remediation

To enable the admin consent workflow, use the Microsoft 365 Admin Center:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Azure Active Directory > Applications select Enterprise applications.
  3. Under Security select Consent and permissions.
  4. Under Manage select Admin consent settings.
  5. Set Users can request admin consent to apps they are unable to consent to to Yes under Admin consent requests.
  6. Under the Reviewers choose the Roles and Groups that will review user generated app consent requests.
  7. Set Selected users will receive email notifications for requests to Yes.
  8. Select Save at the top of the window.

Default Value:

  • Users can request admin consent to apps they are unable to consent to: No.
  • Selected users to review admin consent requests: None.
  • Selected users will receive email notifications for requests: Yes.
  • Selected users will receive request expiration reminders: Yes.
  • Consent request expires after (days): 30.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v200_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v200_2_1 --share

SQL

This control uses a named query:

select
  tenant_id || '/adminConsentRequestPolicy' as resource,
  case
    when is_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when is_enabled then tenant_id || ' has Admin Consent Workflow enabled.'
    else tenant_id || ' has Admin Consent Workflow disabled.'
  end as reason
  , tenant_id as tenant_id
from
  azuread_admin_consent_request_policy;

Tags

category = Compliance
cis = true
cis_item_id = 2.1
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v2.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory