APP-08: Restrict User Application Consent
Overview
User consent allows individuals to grant applications access to organizational data without administrator approval. While convenient, unrestricted consent is a common attack vector for phishing and data exfiltration. This guide walks you through implementing appropriate consent restrictions while maintaining user productivity.
TrueConfig: TrueConfig can configure user consent to "Do not allow user consent" in Entra ID with one click, enforcing the strictest setting automatically.
Prerequisites
Required Roles
- Global Administrator - Required for consent setting changes
- Cloud Application Administrator - Can manage consent settings
- Application Administrator - Can manage consent settings
Required Licenses
- Microsoft Entra ID (any tier)
Time Estimate
- Initial Configuration: 20-30 minutes
- Policy Development: 1-2 hours
- User Communication: 30 minutes
Step-by-Step Instructions
Step 1: Assess Current Consent Posture
Check Existing Settings
- Navigate to Microsoft Entra admin center (https://entra.microsoft.com)
- Go to Identity → Applications → Enterprise applications
- Click Consent and permissions → User consent settings
- Document current settings:
- User consent for applications
- Group owner consent for apps
- Risk-based step-up consent
Audit Recent User Consents
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All"
# Get recent consent grants
$consents = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Consent to application'" -Top 100
$consentReport = $consents | ForEach-Object {
[PSCustomObject]@{
DateTime = $_.ActivityDateTime
User = $_.InitiatedBy.User.UserPrincipalName
AppName = ($_.TargetResources | Where-Object Type -eq "ServicePrincipal").DisplayName
Permissions = ($_.AdditionalDetails | Where-Object Key -eq "ConsentAction.Permissions").Value
ConsentType = ($_.AdditionalDetails | Where-Object Key -eq "ConsentType").Value
}
}
$consentReport | Format-Table
$consentReport | Export-Csv -Path "RecentConsents.csv" -NoTypeInformation
Step 2: Choose Your Consent Strategy
Select the appropriate level based on your security requirements:
| Strategy | User Consent | Security Level | Productivity Impact |
|---|---|---|---|
| Block All | Disabled | Highest | Users need IT for every app |
| Verified Publishers Only | Verified + Low Risk | High | Balance of security and productivity |
| Verified + Specific Permissions | Verified + Selected | Recommended | Fine-grained control |
| Allow All | Enabled | Lowest | Maximum flexibility, highest risk |
Recommended: Verified Publishers with Selected Permissions
This approach allows users to consent to low-risk permissions from verified publishers while requiring admin approval for sensitive access.
Step 3: Configure User Consent Settings
Option A: Block All User Consent (High Security)
- Navigate to Consent and permissions → User consent settings
- Under User consent for applications:
- Select Do not allow user consent
- Click Save
Note: This requires enabling the admin consent workflow (Step 5) to avoid blocking all application access.
Option B: Allow Verified Publishers with Low-Risk Permissions (Recommended)
- Navigate to Consent and permissions → User consent settings
- Under User consent for applications:
- Select Allow user consent for apps from verified publishers, for selected permissions
- Click Save
Option C: Allow Verified Publishers for All Permissions
- Navigate to Consent and permissions → User consent settings
- Under User consent for applications:
- Select Allow user consent for apps from verified publishers
- Click Save
Step 4: Define Low-Risk Permission Classifications
If you selected Option B, configure which permissions users can grant:
- Navigate to Consent and permissions → Permission classifications
- Click + Add permissions
- Select Microsoft Graph from the API dropdown
- Add these low-risk permissions to the "Low" classification:
Recommended Low-Risk Permissions
# OpenID Connect / Authentication
openid
profile
email
offline_access
# Basic User Data (Read-Only)
User.Read
User.ReadBasic.All
# Minimal Calendar Access
Calendars.Read
# Presence Information
Presence.Read
# File Access (User's Own)
Files.Read
- Click Add selected permissions
- Click Save
Permissions to EXCLUDE from Low-Risk
These should always require admin consent:
Mail.Read/Mail.ReadWrite- Access to emailFiles.ReadWrite.All- Write access to all filesUser.ReadWrite.All- Modify user dataDirectory.ReadWrite.All- Directory modificationsSites.ReadWrite.All- SharePoint modifications- Any
.Allscopes - Any application permissions
Step 5: Enable Admin Consent Workflow
Allow users to request access to applications that require admin approval:
- Navigate to Consent and permissions → Admin consent settings
- Set Users can request admin consent to apps they are unable to consent to to Yes
- Configure reviewers:
- Click + Add users or + Add groups
- Add designated consent reviewers (e.g., IT Security team)
- Configure notifications:
- Selected users will receive email notifications for requests: Yes
- Selected users will receive request expiration reminders: Yes
- Set Consent request expires after (days): 30
- Click Save
See APP-04: Configuring Admin Consent Workflow for detailed workflow configuration.
Step 6: Configure Group Owner Consent (Optional)
Control whether group owners can consent to apps accessing group data:
- Navigate to Consent and permissions → User consent settings
- Under Group owner consent for apps accessing data:
- Do not allow group owner consent - Recommended for high security
- Allow group owner consent for all group owners - If groups are self-managed
- Allow group owner consent for selected group owners - Targeted permission
- Click Save
Step 7: Enable Risk-Based Step-Up Consent
Block risky consent attempts automatically:
- Navigate to Identity → Protection → Consent policies
- Verify Risk-based step-up consent is enabled
- This automatically blocks consent to:
- Apps from unverified publishers requesting high-risk permissions
- Apps exhibiting suspicious behavior
- Apps flagged by Microsoft threat intelligence
Step 8: Block Specific Publishers or Applications
Block a Specific Application
- Navigate to Enterprise applications → All applications
- Find the application to block
- Go to Properties
- Set Enabled for users to sign-in to No
- Click Save
Block by Publisher Domain (PowerShell)
# Note: There's no direct "block publisher" feature, but you can:
# 1. Disable all apps from a specific publisher
# 2. Use Conditional Access to block sign-in
$publisherDomain = "suspicious-publisher.com"
$apps = Get-MgServicePrincipal -All | Where-Object { $_.PublisherName -like "*$publisherDomain*" }
foreach ($app in $apps) {
Update-MgServicePrincipal -ServicePrincipalId $app.Id -AccountEnabled:$false
Write-Host "Disabled: $($app.DisplayName)"
}
Step 9: Communicate Changes to Users
Email Template
Subject: Changes to Application Access Policy
Dear [User/Team],
To enhance the security of our Microsoft 365 environment, we are implementing
new controls on application access starting [Date].
What's Changing:
- You can continue to use approved applications without interruption
- For new applications, you may be prompted to request admin approval
- Applications from verified publishers with basic permissions will work as before
What You Need to Do:
- If you need a new application, submit a request through the approval workflow
- You'll receive a notification when your request is approved or denied
- Most requests are processed within 2-3 business days
How to Request Application Access:
1. When prompted, click "Request approval"
2. Provide a brief business justification
3. Your request will be reviewed by IT Security
Questions?
Contact the IT Help Desk at [contact info]
Thank you for your cooperation in keeping our environment secure.
IT Security Team
Step 10: Monitor and Review Consents
Set Up Consent Alerts
Create alerts for:
- Admin consents granted
- High-volume consent requests
- Consents to previously unseen applications
Weekly Consent Review Report
# Generate weekly consent report
$startDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-dd")
$filter = "activityDisplayName eq 'Consent to application' and activityDateTime ge $startDate"
$weeklyConsents = Get-MgAuditLogDirectoryAudit -Filter $filter -All
$summary = $weeklyConsents | Group-Object {
($_.TargetResources | Where-Object Type -eq "ServicePrincipal").DisplayName
} | Select-Object Name, Count | Sort-Object Count -Descending
Write-Host "Weekly Consent Summary"
Write-Host "====================="
$summary | Format-Table -AutoSize
Verification Checklist
After implementing consent restrictions:
- User consent settings are configured appropriately
- Low-risk permissions are classified
- Admin consent workflow is enabled
- Consent reviewers are assigned
- Risk-based step-up consent is enabled
- Group owner consent is configured
- Known risky applications are blocked
- Users have been notified of changes
- Help desk is prepared for consent-related tickets
- Monitoring is in place for consent events
- Documentation is updated with consent policy
Troubleshooting
Issue: Users cannot access previously working applications
Cause: Consent restrictions may have blocked re-consent on token expiration.
Solution:
- Check if the application requires renewed consent
- Grant admin consent if appropriate:
- Enterprise applications → Select app → Permissions → Grant admin consent
- Add the application to the pre-approved list if widely used
Issue: Too many consent requests overwhelming IT
Cause: Users are requesting access to many applications.
Solution:
- Identify frequently requested applications
- Pre-approve common business applications with admin consent
- Create a catalog of approved applications for users to reference
- Consider allowing more permissions in the "Low" classification
Issue: Verified publisher check is too restrictive
Cause: Legitimate vendors may not have completed publisher verification.
Solution:
- Contact the vendor to request they complete publisher verification
- Grant admin consent for specific trusted applications
- Document exceptions with business justification
- Consider adjusting to allow verified publishers for more permissions
Issue: Users confused about consent workflow
Cause: User communication may have been insufficient.
Solution:
- Resend communication about the new process
- Create FAQ document or knowledge base article
- Brief help desk on common questions
- Consider in-person or video training for key teams
Issue: Application requires permissions not in low-risk list
Cause: Application needs more access than user consent allows.
Solution:
- User should request admin consent via the workflow
- Review the permission request:
- Is it appropriate for the application's function?
- Can a less-privileged alternative permission work?
- If approved, grant admin consent
- Document the decision
Issue: OAuth consent phishing attack detected
Cause: Malicious application attempted to gain unauthorized access.
Solution:
- Identify affected users from audit logs
- Revoke consent for the malicious application:
$appId = "malicious-app-id" $sp = Get-MgServicePrincipal -Filter "appId eq '$appId'" Remove-MgServicePrincipal -ServicePrincipalId $sp.Id - Review permissions granted by affected users
- Reset affected user passwords if credential compromise suspected
- Report the application to Microsoft
Issue: Consent settings not applying to specific users
Cause: User may be exempt due to admin role or PIM activation.
Solution:
- Users with Application Administrator or higher can always consent
- Check if user has any admin roles assigned
- PIM-activated roles may grant consent ability
- This is by design - admin roles include consent capability
Issue: Group consent is being abused
Cause: Group owners are consenting to applications that access all group data.
Solution:
- Restrict group owner consent settings
- Review recent group owner consents in audit logs
- Educate group owners on consent security
- Consider requiring admin consent for all group-level permissions
Related Resources
- Configure user consent settings
- Permission classifications
- Admin consent workflow
- Detect illicit consent grants
Last updated: January 2025