Microsoft Entra IDOverview
Require administrators to provide consent for applications before use.
Rationale
If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
Impact
Enforcing this setting may create additional requests that administrators need to review.
Default Value
By default, Users consent for applications is set to Allow user consent for apps.
Remediation guidance
From Azure Portal
- Open Enterprise Applications | Consent and permissions | User consent settings.
- Ensure
User consent for applicationsis set toDo not allow user consent.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Microsoft Entra ID
Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Entra tenants that do not block user consent
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: {
OR: [
{
defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-low"
}
{
defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-legacy"
}
]
}
}
) {
...AssetFragment
}
}
