Skip to main content
Version: 2.1.1-preview

CIS.M365.5.1.5.2 - Ensure the admin consent workflow is enabled

Overview​

5.1.5.2 (L1) Ensure the admin consent workflow is enabled

The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.

Rationale​

The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.

Impact​

To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator. The reviewer must already have one of these admin roles assigned; simply designating them as a reviewer doesn't elevate their privileges.

Remediation action:​

  1. Navigate to Microsoft Entra ID admin center.
  2. Under Entra ID select Enterprise apps
  3. Under Security select Consent and permissions
  4. Under Manage select Admin consent settings
  5. Set Users can request admin consent to apps they are unable to consent to to Yes
  6. Click Save.

Test Metadata​

FieldValue
Test IDCIS.M365.5.1.5.2
SeverityUnknown
SuiteCIS
CategoryCIS E3 Level 1
PowerShell testTest-MtCisAdminConsentWorkflowEnabled
TagsCIS, CIS E3, CIS E3 Level 1, CIS E5, CIS E5 Level 1, CIS M365 v6.0.1, CIS.M365.5.1.5.2, L1, Security

Source​

  • Pester test: tests/cis/Test-MtCisAdminConsentWorkflowEnabled.Tests.ps1
  • PowerShell source: powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.ps1