Skip to main content

Version: 1.3.126 (preview)

Default Authorization Settings - Allow user consent on risk-based apps

Indicates whether user consent for risky apps is allowed. For example, consent requests for newly registered multi-tenant apps that are not publisher verified and require non-basic permissions are considered risky.


Name	allowUserConsentForRiskyApps
Control	Default Authorization Settings
Description	Manages authorization settings in Entra ID (Azure AD)
Severity	High

How to fix

Details of configuration item


Recommendation	Configure risk-based step-up consent - Microsoft Entra ID - Microsoft Learn
Configuration	policies/authorizationPolicy
Setting	`allowUserConsentForRiskyApps`
Recommended Value	'false'
Default Value	false
Graph API Docs	authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph Explorer	Open in Graph Explorer

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access TA0005 - Defense Evasion - Defense Evasion TA0006 - Credential Access - Credential Access TA0008 - Lateral Movement - Lateral Movement	T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1528 - Steal Application Access Token	M1017 - User Training M1018 - User Account Management

How to fix
- Details of configuration item
MITRE ATT&CK