Description:

This control ensures that Microsoft Entra ID is configured to prevent users from granting application permissions without administrator approval. Disabling user consent protects the tenant from malicious or unverified applications gaining access to organizational data and reduces the risk of data leakage through excessive or inappropriate permissions.


Rationale:

Allowing user consent can expose the environment to rogue or compromised applications requesting sensitive permissions. Restricting consent ensures IT administrators review and approve application access, improving control over data sharing and reducing the chance of unauthorized access.


Impact:

Users will no longer be able to independently authorize third-party applications. Requests for new apps will require administrator approval, which may slightly increase support requests. However, centralized approval significantly enhances security, governance, and visibility over application permissions

.

Default:

By default, Microsoft Entra ID allows limited user consent for applications unless modified. This setting must be manually updated to “Do not allow user consent” to fully restrict end-user authorization.


Pre-requisites:

  • Global Administrator or Privileged Role Administrator permissions to modify the user consent settings.

  • A process for managing application consent requests from users to administrators.


Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Microsoft Entra ID

  3. Under the Manage section, select Enterprise applications

  4. Under the Security section, select Consent and Permissions

  5. Open User consent settings

  6. Verify User consent for applications is set to Do not allow user consent

  7. If User consent for applications is not set to Do not allow user consent, follow the implementation steps


Implementation Steps:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Microsoft Entra ID

  3. Under the Manage section, select Enterprise applications

                                      

  1. In the left-hand menu under the security section, select Consent and Permissions

                             

  1. Open User consent settings

  2. Set User consent for applications to Do not allow user consent

  1. Click Save to apply the changes.


Backout Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Microsoft Entra ID

  3. Under the Manage section, select Enterprise applications

  4. Select Consent and permissions

  5. Open User consent settings

  6. Change User consent for applications to the previously allowed setting

  7. Save the changes


References: