App Consent Policy Check [CHK-1128]
This check verifies whether settings are active that prevent employees from giving consent to apps to access the Microsoft tenant.
Rationale
Attackers use self-built web applications to deceive users and gain access to company data. Limiting the ability for employees to give consent to these apps reduces this risk.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Entra ID portal at https://entra.microsoft.com.
- Go to Enterprise applications > Consent and permissions.
- Click on "User consent settings".
- Select "Do not allow user consent" or "Allow user consent for apps from verified publishers, for selected permissions".
- If you selected the second option, click "Configure permission classifications".
- Add the recommended low-risk permissions that users can consent to.
- Save the changes.
Impact
The settings regarding user consent will be configured in line with best practices, reducing the risk of unauthorized data access.
More Information
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
- CIS M365 2.6 - (L2) Ensure user consent to apps accessing company data on their behalf is not allowed.