Ensure that only Microsoft Azure Active Directory (AD) administrators are allowed to provide consent for third-party multi-tenant applications before users may use them by disabling "Users can consent to apps accessing company data on their behalf" feature.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Unless your Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside the Azure cloud environment. By switching "Users can consent to apps accessing company data on their behalf" to "No" within the Active Directory user settings, you can deny third-party applications to access AD user profile data as this data contains private information such as email addresses and phone numbers which can be sold to other third parties without requiring any further consent from the user.
Audit
To determine if AD administrators are enforced to provide consent for applications before users may use them, perform the following actions:
Remediation / Resolution
By setting "Users can consent to apps accessing company data on their behalf" to "No", Azure Active Directory administrators are enforced consent to third-party multi-tenant applications before users may use them. To disable AD users ability to grant consent to applications, perform the following actions:
References
- Azure Official Documentation
- Managing user consent for applications using Office 365 APIs
- Configure the way end-users consent to an application in Azure Active Directory
- CIS Microsoft Azure Foundations
- Azure PowerShell Documentation
- Azure ActiveDirectory (MSOnline)
- MSOnline
- Get-MsolCompanyInformation
- Set-MsolCompanySettings
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Enforce Administrators to Provide Consent for Apps Before Use
Risk level: High