Description:

The User consent for applications setting in Azure Active Directory (Azure AD) controls whether users can grant permissions to applications requesting access to organizational data. Setting it to “Allow for verified publishers” ensures that users can consent only to applications that are verified by Microsoft or have a trusted publisher. Unverified apps require admin approval.


Rationale:

  • Mitigates risk of data exposure: Only verified applications can receive delegated access, reducing the chance of malicious or rogue apps compromising corporate data.

  • Enforces least privilege: Users cannot inadvertently grant excessive permissions to untrusted apps.

  • Compliance alignment: Supports frameworks such as ISO 27001, NIST 800-53, SOC 2, and GDPR, which require strict access management and controlled access to third-party applications.


Impact:

  • Improves security posture by limiting app consent to verified publishers.

  • Reduces exposure to phishing, malware, or malicious third-party apps.

  • Enhances visibility and governance of application permissions.


Default Value:

  • By default, Azure AD tenants may allow users to consent to all applications


Test Plan:

  1. Log in to the Azure Portal.

  2. Search for  Microsoft Entra (this replaces the old Azure AD label).

  3. In the left-hand menu under the Manage section, select Enterprise Applications

  4. In the left-hand menu under the security section, select Consent and Permissions

  5. Check whether Allow user consent for apps from verified publishers, for selected permissions, is enabled or disabled.

  6. If it is disabled, follow the implementation steps.

Implementation Steps:

  1. Log in to the Azure Portal.

  2. Search for  Microsoft Entra (this replaces the old Azure AD label).

  3. In the left-hand menu under the Manage section, select Enterprise Applications

                               

  1. In the left-hand menu under the security section, select Consent and Permissions

                                 

  1. Enabled the Allow user consent for apps from verified publishers, for selected permissions.

  1. Save the changes.


BackOut Plan:

  1. Log in to the Azure Portal.

  2. Search for  Microsoft Entra (this replaces the old Azure AD label).

  3. In the left-hand menu under the Manage section, select Enterprise Applications.

  4. In the left-hand menu under the security section, select Consent and Permissions.

  5. Change the Allow user consent for apps from verified publishers, for selected permissions, to Let Microsoft manage your consent settings (Recommended)

  6. Save the changes.


Reference: