turbot/microsoft365_compliance

Control: 2.6 Ensure user consent to apps accessing company data on their behalf is not allowed

Description

By default, users can consent to applications accessing your organization's data, although only for some permissions. For example, by default a user can consent to allow an app to access their own mailbox or the Teams conversations for a team the user owns, but cannot consent to allow an app unattended access to read and write to all SharePoint sites in your organization.

Do not allow users to grant consent to apps accessing company data on their behalf.

Attackers commonly use custom applications to trick users into granting them access to company data.

While allowing users to consent by themselves does allow users to easily acquire useful applications that integrate with Microsoft 365, Azure and other services, it can represent a risk if not used and monitored carefully.

Disable future user consent operations to help reduce your threat-surface and mitigate this risk. If user consent is disabled, previous consent grants will still be honored but all future consent operations must be performed by an administrator.

Remediation

To prohibit user consent to apps accessing company data on their behalf, use the Microsoft 365 Admin Cente:

  1. Select Admin Centers and Azure Active Directory.
  2. Select Enterprise applications from the Azure navigation pane.
  3. Under Security select Consent and permissions.
  4. Under User consent for applications select Do not allow user consent.
  5. Click the Save option at the top of the window.

To prohibit user consent to apps accessing company data on their behalf, use the Microsoft Online PowerShell Module:

  1. Connect to Microsoft Online service using Connect-MSOLService.
  2. Run the following Microsoft Online PowerShell command:
Set-MsolCompanySettings -UsersPermissionToUserConsentToAppEnabled $False

Default Value: UI - Allow user consent for apps PowerShell - True

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_2_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_2_6 --share

SQL

This control uses a named query:

azuread_authorization_policy_accessing_company_data_not_allowed

Tags