rules/findings/EntraID/Applications/CIS3.0/eid-users-can-consent-apps-data-access.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "General", "serviceName": "Microsoft Entra ID", "displayName": "Ensure \u0027User consent for applications\u0027 is set to \u0027Do not allow user consent\u0027", "description": "Require administrators to provide consent for applications before use.", "rationale": "If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.", "impact": "Enforcing this setting may create additional requests that administrators need to review.", "remediation": { "text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t\t3. Go to `User settings`\r\n\t\t\t\t\t\t4. Click on `Manage how end users launch and view their applications`\r\n\t\t\t\t\t\t4. Set ` Users can consent to apps accessing company data on their behalf` to `No`", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups", "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added", "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/", "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/", "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx", "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "2.12", "profile": "Level 1" } ], "level": "medium", "tags": [ ], "rule": { "path": "aad_authorization_policy", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "tenantAuthPolicy.defaultUserRolePermissions.permissionGrantPoliciesAssigned", "match", "ManagePermissionGrantsForSelf.microsoft-user-default-legacy" ], [ "tenantAuthPolicy.defaultUserRolePermissions.permissionGrantPoliciesAssigned", "match", "ManagePermissionGrantsForSelf.microsoft-user-default-low" ] ], "operator": "or" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "tenantAuthPolicy.allowInvitesFrom": "Allow Invites From", "tenantAuthPolicy.blockMsolPowerShell": "Block MSOL PowerShell", "tenantAuthPolicy.defaultUserRolePermissions.permissionGrantPoliciesAssigned": "User consent for applications" }, "expandObject": null }, "table": "asList", "decorate": [ ], "emphasis": [ "User consent for applications" ], "actions": { "objectData": { "properties": [ ], "expandObject": null, "limit": null }, "showGoToButton": null, "showModalButton": null, "directLink": null } }, "text": { "data": { "properties": { "tenantAuthPolicy":"tenantAuthPolicy" }, "expandObject": null }, "status": { "keyName": [ ], "message": "Users can consent to apps accessing company data on their behalf", "defaultMessage": null }, "properties": { "resourceName": "tenantAuthPolicy.displayName", "resourceId": "tenantAuthPolicyId", "resourceType": "EntraAuthorizationPolicy" }, "onlyStatus": false } }, "idSuffix": "aad_require_admin_consent_apps", "notes": [ ], "categories": [ ], "immutable_properties": [ "tenantAuthPolicyId" ], "id": "entraid_1102" } |