Skip to main content

Default Settings - Consent Policy Settings - Group owner consent for apps accessing data

Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. For example, a team owner in Microsoft Teams can allow an app to read all Teams messages in the team, or list the basic profile of a group's members.

NameEnableGroupSpecificConsent
ControlDefault Settings - Consent Policy Settings
DescriptionDefine the consent configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior
SeverityHigh

How to fix

Details of configuration item

RecommendationCISA SCuBA 2.7: Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications.
Configurationsettings
Setting`values
Recommended Value'False'
Default ValueTrue
Graph API DocsdirectorySetting resource type - Microsoft Graph beta - Microsoft Learn
Graph ExplorerOpen in Graph Explorer

MITRE ATT&CK

TacticTechniqueMitigation
TA0001 - Initial Access - Initial AccessT1566.002 - Phishing: Spearphishing Link
T1078 - Valid Accounts
M1017 - User Training
M1018 - User Account Management
M1047 - Audit