Skip to main content

Default Authorization Settings - Risk-based step-up consent

Indicates whether user consent for risky apps is allowed. For example, consent requests for newly registered multi-tenant apps that are not publisher verified and require non-basic permissions are considered risky.

NameallowUserConsentForRiskyApps
ControlDefault Authorization Settings
DescriptionManages authorization settings in Azure AD
SeverityHigh

How to fix

Details of configuration item

RecommendationConfigure risk-based step-up consent - Microsoft Entra ID - Microsoft Learn
Configurationpolicies/authorizationPolicy
SettingallowUserConsentForRiskyApps
Recommended Value'false'
Default Valuefalse
Graph API DocsauthorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph ExplorerOpen in Graph Explorer

MITRE ATT&CK

TacticTechniqueMitigation
TA0001 - Initial Access - Initial Access
TA0005 - Defense Evasion - Defense Evasion
TA0006 - Credential Access - Credential Access
TA0008 - Lateral Movement - Lateral Movement
T1566.002 - Phishing: Spearphishing Link
T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1528 - Steal Application Access Token
M1017 - User Training
M1018 - User Account Management