Description:

Before an application can access your organization's data, a user must grant the application permissions to do so. Different permissions allow different levels of access. By default, all users are allowed to consent to applications for permissions that don't require administrator consent. For example, by default, a user can consent to allow an app to access their mailbox but can't consent to allow an app unfettered access to read and write to all files in your organization.


Rationale:

Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of the cloud environment. 


Impact:

It might be an additional request that administrators need to fulfill quite often.


Default Value:

By default, Users can consent to apps accessing company data on their behalf is set to 'Yes'.


Audit:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to User settings

  4. Click on Manage how end-users launch and view their applications  

  5. Check that Users can consent to apps accessing company data on their behalf is set to No. (In this scenario it is set to YES as default)

Using PowerShell

Connect-MsolService
Get-MsolCompanyInformation | Select-Object UsersPermissionToUserConsentToAppEnabled

Command should return UsersPermissionToUserConsentToAppEnabled with the value of False


Remediation:

Pre-Requisite:

  1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

  2. An account with global administrator privileges.


Implementation Steps:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to User settings

  4. Click on Manage how end-users launch and view their applications  

  5. Set the Users can consent to apps accessing company data on their behalf is set to No  

      

Backout Plan:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to User settings

  4. Click on Manage how end-users launch and view their applications  

  5. Ensure the Users can consent to apps accessing company data on their behalf is set to YES


Note:

Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.


References:

  1. https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user- consent-for-applications-using-office-365-apis/

  2. https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for- Permissions-in-Azure-Active-Directory.aspx

  3. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure- user-consent#configure-user-consent-to-applications