CIS.M365.5.1.5.1 - Ensure user consent to apps accessing company data on their behalf is not allowed
Overview
5.1.5.1 (L2) Ensure user consent to apps accessing company data on their behalf is not allowed
Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully.
Rationale
Attackers commonly use custom applications to trick users into granting them access to company data. Restricting user consent mitigates this risk and helps to reduce the threat-surface.
Impact
If user consent is disabled, previous consent grants will still be honored but all future consent operations must be performed by an administrator. Tenant-wide admin consent can be requested by users through an integrated administrator consent request workflow or through organizational support processes
Remediation action:
- Navigate to Microsoft 365 Entra admin center.
- Click to expand Entra ID and select Enterprise apps.
- Under Security select Consent and permissions > User consent settings.
- Under User consent for applications select Do not allow user consent.
- Click the Save option at the top of the window.
Related links
- Microsoft 365 Entra admin center
- Configure how users consent to applications
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 211
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.5.1.5.1 |
| Severity | Unknown |
| Suite | CIS |
| Category | CIS E3 Level 2 |
| PowerShell test | Test-MtCisEnsureUserConsentToAppsDisallowed |
| Tags | CIS, CIS E3, CIS E3 Level 2, CIS E5, CIS E5 Level 2, CIS M365 v6.0.1, CIS.M365.5.1.5.1, L2, Security |
Source
- Pester test:
tests/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.ps1