Microsoft Entra IDOverview
Allow users to provide consent for selected permissions when a request is coming from a verified publisher.
Rationale
If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
Impact
Enforcing this setting may create additional requests that administrators need to review.
Default Value
By default, Users consent for applications is set to Allow user consent for apps.
Additional Information
This control is a more permissive version of Ensure 'User consent for applications' is set to 'Do not allow user consent'. We recommend implementing one of them, based on your organization's policy, and creating an exemption for the other. Microsoft recommends following this control. You can read more about user consent here.
Remediation guidance
- Open Enterprise Applications | Consent and permissions | User consent settings.
- Ensure
User consent for applicationsis set toAllow user consent for apps from verified publishers, for selected permissions.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra tenants without consent allowed for verified publishers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: {
NOT: {
defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-low"
}
}
}
) {
...AssetFragment
}
}
