APP-08HighRecommended Secure

Restrict User Application Consent

Workload Identity & Applications control for Microsoft 365 and Entra ID

Why This Control Matters

OAuth phishing attacks trick users into granting malicious apps access to their data. By blocking user consent, you force all app permission requests through admin review, stopping this attack vector.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Users cannot consent to applications requesting permissions
2Admin consent workflow is the only path for new app permissions
3Pre-approved apps are allowlisted if needed

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Available

Configures user consent to "Do not allow user consent" in Entra ID

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.