Description:
The 'User consent for applications' setting in Microsoft Entra ID (formerly Azure Active Directory) defines whether users can grant third-party applications access to their data and what permissions can be consented to. When set to 'Allow user consent for apps from verified publishers, for selected permissions', it ensures that users can only consent to applications that are published by trusted and verified publishers and that they can only grant access to a predefined set of permissions.
This configuration provides a balance between security and user flexibility by allowing users to consent to certain trusted applications while limiting their ability to grant excessive or unnecessary permissions to third-party apps.
Rationale:
Configuring user consent for applications to 'Allow user consent for apps from verified publishers, for selected permissions' helps:
Improve security by ensuring that users can only grant consent to applications that are from verified publishers, reducing the risk of malicious or untrusted applications gaining access to sensitive organizational data.
Restrict the permissions granted to applications, ensuring that users only allow access to specific, necessary resources, preventing the unnecessary exposure of sensitive data.
Enhance compliance by enforcing strict access controls for applications, ensuring that only approved applications and permissions are granted by users.
Prevent data leakage by limiting the permissions granted to apps, ensuring that no unnecessary access to user or organizational data is provided.
Impact:
Setting 'User consent for applications' to 'Allow user consent for apps from verified publishers, for selected permissions' will:
Improve control over which third-party applications can access your organization's data, ensuring that only trusted, verified publishers are granted consent.
Limit user flexibility to some extent, as users will not be able to consent to apps outside of the approved publishers and permissions. However, this is a critical security measure to avoid potential data breaches.
Increase oversight over third-party app integrations by ensuring that user consent is granted only for applications that meet organizational security standards.
Default Value:
By default, Microsoft Entra ID allows users to consent to any application, whether or not the publisher is verified, unless this setting is manually adjusted.
Pre-requisites:
Azure subscription with Microsoft Entra ID (Azure AD) configured.
Global Administrator or Privileged Role Administrator permissions to configure user consent settings.
A process to manage verified publishers and determine which permissions can be selected for consent.
Audit:
Sign in to Azure portal as a Global Administrator or Privileged Role Administrator.
Navigate to Microsoft Entra ID > Enterprise Applications > Consent and permissions.
Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions'.
Implementation Steps (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
In the Azure portal, go to Azure Active Directory.
Go to Enterprise Applications:
Under Manage, select Enterprise Applications.
Modify User Consent Settings:
In the Enterprise Applications pane, select Consent and permissions.
Find the 'User consent for applications' setting.
Set the option to 'Allow user consent for apps from verified publishers, for selected permissions'.
Save the Configuration:
After setting the option to 'Allow user consent for apps from verified publishers, for selected permissions', click Save to apply the changes.
Verify the Setting:
After saving, verify that users can only consent to applications that are from verified publishers and have predefined, acceptable permissions.
Perform a test by attempting to grant consent to a third-party application. The process should only be allowed if the application is from a verified publisher and the permissions are within the predefined set.
Monitor User Consent Requests:
Use Azure AD logs to monitor user consent requests and ensure that users are only consenting to applications that meet the verified publisher and selected permission criteria.
Test the Configuration:
Test the system by attempting to grant consent as a user to an unverified application or requesting excessive permissions. The request should be blocked.
Communicate to Users:
Inform users that they will now be restricted to granting consent only for applications from verified publishers with predefined permissions. Ensure they understand the policy change and how it affects their ability to use third-party apps.
Backout Plan (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
Go to Azure Active Directory > Enterprise Applications > Consent and permissions.
Revert the User Consent Setting:
In Consent and permissions, change the 'User consent for applications' setting back to 'Allow user consent for all apps' to allow broader user consent without publisher or permission restrictions.
Save the Configuration:
Click Save to apply the changes.
Test the Reverted Configuration:
Perform a test by attempting to grant consent to any application without restrictions. The process should now be allowed for all applications.
Monitor the Reversion:
Use Azure AD logs to ensure that the reverted settings are functioning as expected and that users can now grant consent to any applications.