rules/findings/EntraID/Applications/CIS3.0/eid-users-can-consent-apps-data-access.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "General", "serviceName": "Microsoft Entra ID", "displayName": "Ensure 'User consent for applications' is set to 'Do not allow user consent'", "description": "Require administrators to provide consent for applications before use.", "rationale": "If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.", "impact": "Enforcing this setting may create additional requests that administrators need to review.", "remediation": { "text": "###### From Azure Console\r\n\t\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t\t2. Go to `Users`\r\n\t\t\t\t\t\t3. Go to `User settings`\r\n\t\t\t\t\t\t4. Click on `Manage how end users launch and view their applications`\r\n\t\t\t\t\t\t4. Set ` Users can consent to apps accessing company data on their behalf` to `No`", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups", "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added", "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/", "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/", "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx", "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "2.12", "profile": "Level 1" } ], "level": "medium", "tags": [ ], "rule": { "path": "aad_authorization_policy", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "TenantAuthPolicy.permissionGrantPolicyIdsAssignedToDefaultUserRole", "match", "ManagePermissionGrantsForSelf.microsoft-user-default-legacy" ] ] } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "TenantAuthPolicy.allowInvitesFrom": "Allow Invites From", "TenantAuthPolicy.blockMsolPowerShell": "Block MSOL PowerShell", "TenantAuthPolicy.defaultUserRolePermissions.permissionGrantPoliciesAssigned": "User consent for applications" }, "expandObject": null }, "table": "asList", "decorate": [ ], "emphasis": [ "User consent for applications" ], "actions": { "objectData": { "properties": [ ], "expandObject": null, "limit": null }, "showGoToButton": null, "showModalButton": null, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Users can consent to apps accessing company data on their behalf", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "aad_require_admin_consent_apps", "notes": [ ], "categories": [ ] } |