How to Fix: Enable Admin Consent Workflow
Step-by-step guide to implement enable admin consent workflow in your Microsoft 365 environment.
5-10 minutes
Estimated Time
4
Steps
medium
Severity
Enhanced Security
Baseline Level
Why This Matters
Without admin consent workflow, any user can grant an OAuth app access to their data. Attackers use illicit consent grant attacks to trick users into granting malicious apps access. Admin approval stops this attack vector.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
Expected Configuration
- Admin consent workflow is enabled
- Users cannot consent to applications themselves
- Consent requests are routed to designated approvers
Remediation Steps
Audit Current Applications
Review the applications in your Entra ID tenant.
- •Navigate to Microsoft Entra admin center
- •Go to Applications > Enterprise applications
- •Review app registrations and permissions
Identify Required Changes
Determine which applications need modification.
- •Compare against expected configuration
- •Identify risky or non-compliant apps
- •Plan remediation approach
Apply Remediation
Make the necessary changes to application configurations.
- •Update consent settings as needed
- •Modify application permissions
- •Configure app governance policies
Verify Compliance
Confirm applications meet security requirements.
- •Run TrueConfig scan
- •Review any remaining findings
- •Document changes made
Auto-Remediation Available
TrueConfig can automatically fix this control for you. Enable auto-remediation to have this configuration applied and maintained automatically.
Learn about auto-remediationRelated Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial