|   Trend Micro Cloud One™
Open menu

Enforce Administrators to Provide Consent for Apps Before Use

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base Microsoft Azure Active Directory Enforce Administrators to Provide Consent for Apps Before Use
Risk level: High (not acceptable risk)
Rule ID: ActiveDirectory-009

Ensure that only Microsoft Azure Active Directory (AD) administrators are allowed to provide consent for third-party multi-tenant applications before users may use them by disabling "Users can consent to apps accessing company data on their behalf" feature.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Unless your Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside the Azure cloud environment. By switching "Users can consent to apps accessing company data on their behalf" to "No" within the Active Directory user settings, you can deny third-party applications to access AD user profile data as this data contains private information such as email addresses and phone numbers which can be sold to other third parties without requiring any further consent from the user.

Audit

To determine if AD administrators are enforced to provide consent for applications before users may use them, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at Azure Portal.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user configuration settings.

05 On the User settings configuration page, under Enterprise applications, click Manage how end users launch and view their applications.

06 On the Enterprise applications panel, check the Users can consent to apps accessing company data on their behalf setting configuration. If this setting is set to Yes, the "Users can consent to apps accessing company data on their behalf" feature is enabled, therefore all Azure Active Directory (AD) users can consent to third-party applications.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine.

Using Azure PowerShell

01 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Azure Active Directory: 

Install-Module MSOnline

02 Run Connect-MsolService PowerShell command to connect to your Azure Active Directory (AD) environment. Once the command request is made you should be prompted for your AD credentials. To connect to a specific environment of Active Directory, use -AzureEnvironment parameter, as shown in the example above (replace the highlighted parameter value with your own AD environment name): 

Connect-MsolService -AzureEnvironment "<ad-environment-name>"

03 Run Get-MsolCompanyInformation PowerShell command with custom query filters to identify if the current Azure Active Directory account is configured to allow non-administrator users to consent to applications: 

Get-MsolCompanyInformation | fl UsersPermissionToUserConsentToAppEnabled

04 The command output should return the "Users can consent to apps accessing company data on their behalf" feature status (True for enabled, False for disabled): 

UsersPermissionToUserConsentToAppEnabled : True
-----------------------------------------------

If UsersPermissionToUserConsentToAppEnabled configuration attribute is set to True, as shown in the example above, the feature is currently enabled, thus all Azure Active Directory (AD) users can consent to third-party applications, without administrator consent.

05 Repeat steps no. 1 - 4 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Users can consent to apps accessing company data on their behalf" to "No", Azure Active Directory administrators are enforced consent to third-party multi-tenant applications before users may use them. To disable AD users ability to grant consent to applications, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at Azure Portal.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user configuration settings.

05 On the User settings configuration page, under Enterprise applications, click Manage how end users launch and view their applications.

06 On the Enterprise applications panel, select No next to Users can consent to apps accessing company data on their behalf setting to disable all Active Directory users' ability to consent to applications that require access to their cloud user data, such as directory user profile or Office 365 email address.

07 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully updated user settings".

08 CRepeat steps no. 3 – 7 for each Active Directory (AD) that you want to reconfigure to enforce administrator consent for using third-party applications.

Using Azure PowerShell

01 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Azure Active Directory: 

Install-Module MSOnline

02 Run Connect-MsolService PowerShell command to connect to your Azure Active Directory (AD) environment. Once the command request is made you should be prompted for your AD credentials. To connect to a specific environment of Active Directory, use -AzureEnvironment parameter, as shown in the example above (replace the highlighted parameter value with your own AD environment name): 

Connect-MsolService -AzureEnvironment "<ad-environment-name>"

03 The command output should return the "Users can consent to apps accessing company data on their behalf" feature status (True for enabled, False for disabled): 

Set-MsolCompanySettings -UsersPermissionToUserConsentToAppEnabled:$false

04 Repeat steps no. 1 - 3 for each Microsoft Azure Active Directory that you want to reconfigure in order to enforce AD administrator consent for using applications.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enforce Administrators to Provide Consent for Apps Before Use

Risk level: High