CISA.MS.AAD.5.3 - An admin consent workflow SHALL be configured for applications.
Overviewβ
An admin consent workflow SHALL be configured for applications.
Rationale: Configuring an admin consent workflow reduces the risk of the previous policy by setting up a process for users to securely request access to applications necessary for business purposes. Administrators have the opportunity to review the permissions requested by new applications and approve or deny access based on a risk assessment.
Remediation action:β
- In Entra create a new Group that contains admin users responsible for reviewing and adjudicating application consent requests. Group members will be notified when users request consent for new applications.
- Then in Entra under Identity and Applications, select Enterprise applications.
- Under Security, select Consent and permissions.
- Under Manage, select Admin consent settings.
- Under Admin consent requests and Users can request admin consent to apps they are unable to consent to select Yes.
- Under Who can review admin consent requests, select + Add groups and select the group responsible for reviewing and adjudicating app requests (created in step one above).
- Click Save.
Related linksβ
- Entra admin center - Consent and permissions | Admin consent settings
- CISA Application Registration & Consent - MS.AAD.5.3v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.5.3 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaAppAdminConsent |
| Tags | CISA, CISA.MS.AAD.5.3, Entra ID Free, MS.AAD, MS.AAD.5.3 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaAppAdminConsent.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaAppAdminConsent.ps1