Information
Allow users to provide consent for selected permissions when a request is coming from a verified publisher.
Rationale:
If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
Impact:
Enforcing this setting may create additional requests that administrators need to review.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From Azure Portal
From Azure Home select the Portal Menu
Select Azure Active Directory
Select Enterprise Applications
Select Consent and permissions
Select User consent settings
Under User consent for applications, select Allow user consent for apps from verified publishers, for selected permissions
Select Save
From PowerShell
Connect-MsolService
Set-MsolCompanyInformation --UsersPermissionToUserConsentToAppEnabled $False
Default Value:
By default, User consent for applications is set to Allow user consent for apps.