Ensure that only Microsoft Azure Active Directory (AD) administrators are allowed to provide consent for third-party multi-tenant applications before users may use them by disabling "Users can consent to apps accessing company data on their behalf" feature.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Unless your Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside the Azure cloud environment. By switching "Users can consent to apps accessing company data on their behalf" to "No" within the Active Directory user settings, you can deny third-party applications to access AD user profile data as this data contains private information such as email addresses and phone numbers which can be sold to other third parties without requiring any further consent from the user.
To determine if AD administrators are enforced to provide consent for applications before users may use them, perform the following actions:
Remediation / Resolution
By setting "Users can consent to apps accessing company data on their behalf" to "No", Azure Active Directory administrators are enforced consent to third-party multi-tenant applications before users may use them. To disable AD users ability to grant consent to applications, perform the following actions:
- Azure Official Documentation
- Managing user consent for applications using Office 365 APIs
- Configure the way end-users consent to an application in Azure Active Directory
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enforce Administrators to Provide Consent for Apps Before Use
Risk level: High