Ensure permission type is not set to 'Admin' in oauth2_permissions for AzureAD Application

HIGH

Description

Overly permissive applications may lead to lateral movement and unauthorised access.

Remediation

At this time, the console UI does not have remediation steps available. For possible CLI remediation, see the product documentation (below) or use Terraform.

In Terraform -

In the azuread_application resource, set the oauth2_permission_scope.type field to User.

References:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application#oauth2_permission_scope

Policy Details

Rule Reference ID: AC_AZURE_0541

CSP: Azure

Remediation Available: No

Domain: Identity and Access Management

Resource: azuread_application

Resource Category: Identity and Access Management (IAM)

Resource Type: AzureAD

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF

Detections

Analytics