APP-04MediumEnhanced Security

Enable Admin Consent Workflow

Workload Identity & Applications control for Microsoft 365 and Entra ID

Why This Control Matters

Without admin consent workflow, any user can grant an OAuth app access to their data. Attackers use illicit consent grant attacks to trick users into granting malicious apps access. Admin approval stops this attack vector.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Admin consent workflow is enabled
2Users cannot consent to applications themselves
3Consent requests are routed to designated approvers

Enforcement

Default Mode

Auto-Remediate

Automatically fixes deviations when safe to do so

Auto-Remediation

Available

Configures admin consent workflow settings

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.