Skip to main content

Default Authorization Settings - Risk-based step-up consent

Indicates whether user consent for risky apps is allowed. For example, consent requests for newly registered multi-tenant apps that are not publisher verified and require non-basic permissions are considered risky.


Name	allowUserConsentForRiskyApps
Control	Default Authorization Settings
Description	Manages authorization settings in Azure AD
Severity	High

How to fix

Details of configuration item


Recommendation	Configure risk-based step-up consent - Microsoft Entra ID - Microsoft Learn
Configuration	policies/authorizationPolicy
Setting	`allowUserConsentForRiskyApps`
Recommended Value	'false'
Default Value	false
Graph API Docs	authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph Explorer	Open in Graph Explorer

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access TA0005 - Defense Evasion - Defense Evasion TA0006 - Credential Access - Credential Access TA0008 - Lateral Movement - Lateral Movement	T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1528 - Steal Application Access Token	M1017 - User Training M1018 - User Account Management

How to fix
- Details of configuration item
MITRE ATT&CK