Microsoft Entra IDOverview
Require administrators to provide consent for applications before use.
Rationale
If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
Impact
Enforcing this setting may create additional requests that administrators need to review.
Default Value
By default, Users consent for applications is set to Allow user consent for apps.
Remediation guidance
From Azure Portal
- Open Enterprise Applications | Consent and permissions | User consent settings.
- Ensure
User consent for applicationsis set toDo not allow user consent.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra tenants that do not block user consent
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: {
OR: [
{
defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-low"
}
{
defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-legacy"
}
]
}
}
) {
...AssetFragment
}
}
