Description
- Type: CUSTOMER
- Severity: WARNING
- Protection against: Social Engineering
- CIS: M365 2.6 - (L2) Ensure user consent to apps accessing company data on their behalf is not allowed
- Fix Available: YES
This Customer Check verifies whether settings are active that prevent employees from giving consent to apps to access the Microsoft tenant.
Why this check?
Attackers use self-built web applications that deceive users to gain access to company data. Although such apps can also be very useful when working with Microsoft365, they simultaneously pose a risk and should be limited as much as possible.
Disabling the ability for employees to give consent only applies to future new approvals. Apps that are already allowed need to be identified through other checks.
CIS Benchmarks
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
- CIS M365 2.6 - (L2) Ensure user consent to apps accessing company data on their behalf is not allowed
What are the possible outcomes of the check?
This check has two possible outcomes. In Attic, this is reflected as follows:
- Okay: All settings regarding user consent are configured in line with best practices
- Warning: At least one of the settings deviates from recommended best practices
How should this be followed up?
If the output is Warning , we advise adjusting the settings to best practices.
For this check, a Fix is available, which we will offer through Attic.
These are the settings configured in the fix:
-
EnableGroupSpecificConsent = OFF
- Controls whether a user can give consent on behalf of a group for apps. -
BlockUserConsentForRiskyApps = ON
- Controls whether risky apps are blocked. -
PermissionGrantPolicyIdsAssignedToDefaultUserRole = ON + Specific settings
- Controls whether a user can allow apps that request data access, provided the apps are from a verified publisher AND the permissions are within the set configuration. -
UserPermissions = LIST
- List of permissions a user should be able to grant without admin approval: User.Read - Email - Openid - Profile - Offline_Access.
Comments
0 comments
Please sign in to leave a comment.