CISA.MS.AAD.5.2 - Only administrators SHALL be allowed to consent to applications.
Overview
Only administrators SHALL be allowed to consent to applications.
Rationale: Limiting applications consent to only specific privileged users reduces risk of users giving insecure applications access to their data via consent grant attacks.
Remediation action:
- In Entra under Identity and Applications, select Enterprise applications.
- Under Security, select Consent and permissions.
- Under Manage, select User consent settings.
- Under User consent for applications, select Do not allow user consent.
- Click Save.
Related links
- Entra admin center - Consent and permissions | User consent settings
- CISA Application Registration & Consent - MS.AAD.5.2v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.5.2 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaAppUserConsent |
| Tags | CISA, CISA.MS.AAD.5.2, Entra ID Free, MS.AAD, MS.AAD.5.2 |
Source
- Pester test:
tests/cisa/entra/Test-MtCisaAppUserConsent.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaAppUserConsent.ps1