Introduction #
By default, Users are allowed to consent to (3rd party) apps accessing company data on their behalf.
What this means is all users can allow external, untrusted apps to access your company data on their behalf without your advanced approval.
There are numerous permissions which a user can grant which could be highly sensitive such as:
- Read all users’ basic profiles
- Read user mail
- Send mail as a user
- Read items in all site collections
- Edit items in all site collections
We recommend disabling the ability for users to consent to apps accessing company data on their behalf.
User Impact #
Medium
If you decide to turn off user consent, an admin will be required to consent to any new applications users wish to access company data.
Admin Portal Reference #
In the Azure portal;
- Go to the Azure Active Directory blade
- Go to the Enterprise applications section
- Go to the User settings section
- Change Users can consent to apps accessing company data on their behalf to “No”
If Action is set to Notify #
We report the setting is compliant if users cannot consent to apps accessing company data on their behalf.
We report the setting is non-compliant if users can consent to apps accessing company data on their behalf.
If Action is set to Enforce #
We report the setting is compliant if the users cannot consent to apps accessing company data on their behalf.
We report the setting is compliant-fixed if users could previously consent to apps accessing company data on their behalf, but have been block doing so.
