Enable Admin Consent Flow in EntraID [CHK-1146]
This check verifies if users need to ask an administrator to approve a new application.
Rationale
Attackers often deploy malicious EntraID apps to gain access to your data. Enabling the admin consent flow protects employees from such threats. When an employee wants to add an app, they will see a screen asking them to request permission from an administrator.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Azure portal at https://portal.azure.com
- Go to Azure Active Directory
- Select Enterprise Applications from the Azure navigation panel
- Select User Settings
- Set Admin consent requests to YES
- Click on Select admin consent request reviewers and choose which administrators should serve as reviewers
- Select Save at the top of the screen
Impact
The admin consent flow will be enabled, providing an additional layer of security against malicious apps.