Description:
Before an application can access your organization's data, a user must grant the application permissions to do so. Different permissions allow different levels of access. By default, all users are allowed to consent to applications for permissions that don't require administrator consent. For example, by default, a user can consent to allow an app to access their mailbox but can't consent to allow an app unfettered access to read and write to all files in your organization.
Rationale:
Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of the cloud environment.
Impact:
It might be an additional request that administrators need to fulfill quite often.
Default Value:
By default, Users can consent to apps accessing company data on their behalf is set to 'Yes'.
Audit:
Go to Azure Active Directory
Go to Users
Go to User settings
Click on Manage how end-users launch and view their applications
Check that Users can consent to apps accessing company data on their behalf is set to No. (In this scenario it is set to YES as default)
Using PowerShell
Connect-MsolService
Get-MsolCompanyInformation | Select-Object UsersPermissionToUserConsentToAppEnabled
Command should return UsersPermissionToUserConsentToAppEnabled with the value of False
Remediation:
Pre-Requisite:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges.
Implementation Steps:
Go to Azure Active Directory
Go to Users
Go to User settings
Click on Manage how end-users launch and view their applications
Set the Users can consent to apps accessing company data on their behalf is set to No
Backout Plan:
Go to Azure Active Directory
Go to Users
Go to User settings
Click on Manage how end-users launch and view their applications
Ensure the Users can consent to apps accessing company data on their behalf is set to YES
Note:
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.