Skip to main content

Default Authorization Settings - User consent policy assigned for applications

Defines if user consent to apps is allowed, and if it is, which app consent policy (permissionGrantPolicy) governs the permissions.

NamepermissionGrantPolicyIdsAssignedToDefaultUserRole
ControlDefault Authorization Settings
DescriptionManages authorization settings in Azure AD
SeverityHigh

How to fix

Details of configuration item

RecommendationMicrosoft recommends to allow to user consent for apps from verified publisher for selected permissions. CISA SCuBA 2.7 defines that all Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications.
Configurationpolicies/authorizationPolicy
Setting`permissionGrantPolicyIdsAssignedToDefaultUserRole
Recommended Value'ManagePermissionGrantsForSelf.microsoft-user-default-low'
Default ValueManagePermissionGrantsForSelf.microsoft-user-default-legacy
Graph API DocsauthorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph ExplorerOpen in Graph Explorer

MITRE ATT&CK

TacticTechniqueMitigation
TA0001 - Initial Access - Initial Access
TA0005 - Defense Evasion - Defense Evasion
TA0006 - Credential Access - Credential Access
TA0008 - Lateral Movement - Lateral Movement
T1566.002 - Phishing: Spearphishing Link
T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1528 - Steal Application Access Token
M1017 - User Training
M1018 - User Account Management