CISA.MS.AAD.5.4 - Group owners SHALL NOT be allowed to consent to applications.
Overviewβ
Group owners SHALL NOT be allowed to consent to applications.
Rationale: In M365, group owners and team owners can consent to applications accessing data in the tenant. By requiring consent requests to go through an approval workflow, risk of exposure to malicious applications is reduced.
Remediation action:β
- In Entra under Identity and Applications, select Enterprise applications.
- Under Security, select Consent and permissions.
- Under Manage, select User consent settings.
- Under Group owner consent for apps accessing data, select Do not allow group owner consent.
- Click Save.
Related linksβ
- Entra admin center - Consent and permissions | User consent settings
- CISA Application Registration & Consent - MS.AAD.5.4v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.5.4 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaAppGroupOwnerConsent |
| Tags | CISA, CISA.MS.AAD.5.4, Entra ID Free, MS.AAD, MS.AAD.5.4 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaAppGroupOwnerConsent.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaAppGroupOwnerConsent.ps1