APP-04: Enable Admin Consent Workflow

Frequently asked questions about implementing and managing the APP-04 security control in Microsoft 365 and Entra ID.

Q
What is APP-04 (Enable Admin Consent Workflow)?
A

APP-04 is a security control that without admin consent workflow, any user can grant an oauth app access to their data. attackers use illicit consent grant attacks to trick users into granting malicious apps access. admin approval stops this attack vector. It requires that admin consent workflow is enabled and users cannot consent to applications themselves, consent requests are routed to designated approvers.

Related controls:APP-04
Q
Why is Enable Admin Consent Workflow important for Microsoft 365 security?
A

Without admin consent workflow, any user can grant an OAuth app access to their data. Attackers use illicit consent grant attacks to trick users into granting malicious apps access. Admin approval stops this attack vector.

Related controls:APP-04
Q
How do I implement APP-04 in my tenant?
A

TrueConfig provides one-click remediation for APP-04. Configures admin consent workflow settings

Related controls:APP-04
Q
What license do I need for APP-04?
A

This control can be implemented with any Microsoft 365 subscription, including free Azure AD.

Related controls:APP-04
Q
Which security baseline includes APP-04?
A

APP-04 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.

Related controls:APP-04

5

Questions

1

Related Controls

Categorized

Related Resources

APP-04 Control Reference

Detailed documentation and implementation guidance

Workload Identity & Applications Controls

All controls in the Workload Identity & Applications category

Security Glossary

Definitions of security and Microsoft 365 terms

Still have questions?

Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.

Start Free Trial
All FAQsBrowse Controls →