Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to
If this option is set to enabled, then users request admin consent to any app that requires access to data they do not have the permission to grant. If this option is set to disabled, then users must contact their admin to request to consent in order to use the apps they need.
| Name | EnableAdminConsentRequests |
| Control | Default Settings - Consent Policy Settings |
| Description | Define the consent configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior |
| Severity | High |
How to fix
Details of configuration item
| Recommendation | CISA SCuBA 2.7: Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications. |
| Configuration | settings |
| Setting | `values |
| Recommended Value | 'true' |
| Default Value | false |
| Graph API Docs | directorySetting resource type - Microsoft Graph beta - Microsoft Learn |
| Graph Explorer | Open in Graph Explorer |
MITRE ATT&CK
| Tactic | Technique | Mitigation |
|---|---|---|
| TA0001 - Initial Access - Initial Access | T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts | M1017 - User Training M1018 - User Account Management M1047 - Audit |