One of the most overlooked security settings in Entra is user consent for enterprise applications. By default, users may be allowed to consent to third-party apps, granting them permissions to access organizational data—often without understanding the implications. This can lead to unauthorized access, data leakage, or even malicious activity within your tenant.
To prevent this, global admins must disable user consent and enable the admin consent workflow. This simple configuration change reduces your attack surface and ensures only vetted applications are granted access.
The Risk of Allowing User Consent
When users are allowed to consent to applications, they can grant excessive permissions to third-party apps, without knowing what they’re doing. For example:
- An app may request access to sensitive data like emails, files, or calendars.
- Attackers can exploit this by creating malicious apps disguised as legitimate tools
- Once permissions are granted, the app can act on behalf of the user, potentially accessing or exfiltrating sensitive organizational data.
Allowing unrestricted user consent essentially hands over control of your tenant’s security to end users who may not fully understand the risks.
How To Fix It
To secure your tenant, follow these steps:
- Navigate to the Entra Admin Portal and log in as a global admin.
- Go to Enterprise Applications > Consent and Permissions.
- Set “User Consent for Applications” to Do Not Allow.
- Enable Admin Consent Workflow, allowing admins to review and approve application requests before granting permissions.
This ensures that only trusted applications are approved by administrators, reducing the risk of unauthorized access.
This will not help if an enterprise application has already been in your tenant for some time. It might be a good idea to audit what Enterprise Applications you have lingering in your tenant if you notice User Consent for Applications has been allowed for some time.