Unrestricted User Consent for Applications

Entra ID implements the OAuth 2.0 delegation mechanism, allowing users to consent to any third-party application. By doing so, users grant these applications access to their data and, by extension, any organization's data they can access.

Attackers have devised social engineering attacks using malicious applications that often masquerade as legitimate business applications, requiring sensitive permissions. Once granted, these permissions allow attackers to steal data or perform actions on behalf of the user. These attacks are known as "illicit consent grant" or "consent phishing".

Entra ID offers three options regarding user consent for applications:

• "Do not allow user consent": the most secure option.
• "Allow user consent for apps from verified publishers, for selected permissions": Microsoft recommends this intermediate option because it reduces risk by allowing only less sensitive permissions and restricting access to applications from "verified publishers".
• "Allow user consent for apps": By default, this least secure option allows users to consent to any application, including external ones, for most permissions (except those reserved for administrators).

By default, the IoE only flags the less secure option in Entra ID as incorrect. For higher security sensitivity, you can enable the IoE's "Strict" option, which flags both the less secure and intermediate Entra ID options.

Tenable recommends following Microsoft's advice by opting for at least the intermediate option: "Allow user consent for apps from verified publishers, for selected permissions." For organizations with stricter security requirements, you can choose the most secure option: "Do not allow user consent."

Enabling restrictions requires Microsoft Entra administrators with specific roles to manage consent to applications and evaluate consent requests. They must also review admin consent requests, which increases their workload. Ensure that they receive adequate training to validate only legitimate applications and permissions.

Follow the Microsoft guide that describes how to configure how users consent to applications. This guide includes instructions for using the Microsoft Entra admin center, Microsoft Graph PowerShell, or Microsoft Graph API.

Changing the selected option will not undo previous consents. Therefore, exercise caution if you suspect that social engineering attacks may have exploited this technique. You can refer to the results of the "Dangerous API Permissions Affecting the Tenant" and "Dangerous API Permissions Affecting Data" IoEs to identify potentially malicious or excessively granted permissions.

You can also consider enabling "risk-based step-up consent".

Name: Unrestricted User Consent for Applications

Codename: UNRESTRICTED-USER-CONSENT-FOR-APPLICATIONS

Severity: Medium