Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Users Can Consent To Apps Accessing Company Data On Their Behalf

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActiveDirectory-009

Ensure that only Microsoft Entra ID administrators are allowed to provide consent for third-party multi-tenant applications before users may use them by disabling "Users can consent to apps accessing company data on their behalf" feature.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Unless your Microsoft Entra ID is running as an identity provider for third-party applications, do not allow users to use their identity outside the Azure cloud environment. By switching "Users can consent to apps accessing company data on their behalf" to "No" within the Microsoft Entra ID user settings, you can deny third-party applications to access Microsoft Entra ID user profile data as this data contains private information such as email addresses and phone numbers which can be sold to other third parties without requiring any further consent from the user.

Audit

To determine if Microsoft Entra ID administrators are enforced to provide consent for applications before users may use them, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user configuration settings.

05 On the User settings configuration page, under Enterprise applications, click Manage how end users launch and view their applications.

06 On the Enterprise applications panel, check the Users can consent to apps accessing company data on their behalf setting configuration. If this setting is set to Yes, the "Users can consent to apps accessing company data on their behalf" feature is enabled, therefore all Microsoft Entra ID users can consent to third-party applications.

07 Repeat steps no. 3 – 6 for each Microsoft Entra ID that you want to examine.

Using Azure PowerShell

01 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID: 

Install-Module MSOnline

02 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace the highlighted parameter value with your own Microsoft Entra ID environment name): 

Connect-MsolService -AzureEnvironment "<ad-environment-name>"

03 Run Get-MsolCompanyInformation PowerShell command with custom query filters to identify if the current Microsoft Entra ID account is configured to allow non-administrator users to consent to applications: 

Get-MsolCompanyInformation | fl UsersPermissionToUserConsentToAppEnabled

04 The command output should return the "Users can consent to apps accessing company data on their behalf" feature status (True for enabled, False for disabled): 

UsersPermissionToUserConsentToAppEnabled : True 
-----------------------------------------------

If UsersPermissionToUserConsentToAppEnabled configuration attribute is set to True, as shown in the example above, the feature is currently enabled, thus all Microsoft Entra ID users can consent to third-party applications, without administrator consent.

05 Repeat steps no. 1 - 4 for each Microsoft Entra ID that you want to examine.

Remediation / Resolution

By setting "Users can consent to apps accessing company data on their behalf" to "No", Microsoft Entra ID administrators are enforced consent to third-party multi-tenant applications before users may use them. To disable Microsoft Entra ID users' ability to grant consent to applications, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user configuration settings.

05 On the User settings configuration page, under Enterprise applications, click Manage how end users launch and view their applications.

06 On the Enterprise applications panel, select No next to Users can consent to apps accessing company data on their behalf setting to disable all Microsoft Entra ID users' ability to consent to applications that require access to their cloud user data, such as directory user profile or Office 365 email address.

07 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully updated user settings".

08 Repeat steps no. 3 – 7 for each Microsoft Entra ID that you want to reconfigure to enforce administrator consent for using third-party applications.

Using Azure PowerShell

01 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID: 

Install-Module MSOnline

02 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace the highlighted parameter value with your own Microsoft Entra ID environment name): 

Connect-MsolService -AzureEnvironment "<ad-environment-name>"

03 Run Set-MsolCompanySettings PowerShell command (using MSOnline module) with -UsersPermissionToUserConsentToAppEnabled parameter set to $false to disable "Users can consent to apps accessing company data on their behalf" feature and enforce Microsoft Entra ID administrators to consent to third-party multi-tenant applications before users may use them (if the request is successful, the command does not produce an output): 

Set-MsolCompanySettings -UsersPermissionToUserConsentToAppEnabled:$false

04 Repeat steps no. 1 - 3 for each Microsoft Entra ID that you want to reconfigure in order to enforce Microsoft Entra ID administrator consent for using applications.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules