How to Fix: Restrict User Application Consent
Step-by-step guide to implement restrict user application consent in your Microsoft 365 environment.
5-10 minutes
Estimated Time
4
Steps
high
Severity
Recommended Secure
Baseline Level
Why This Matters
OAuth phishing attacks trick users into granting malicious apps access to their data. By blocking user consent, you force all app permission requests through admin review, stopping this attack vector.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
Expected Configuration
- Users cannot consent to applications requesting permissions
- Admin consent workflow is the only path for new app permissions
- Pre-approved apps are allowlisted if needed
Remediation Steps
Audit Current Applications
Review the applications in your Entra ID tenant.
- •Navigate to Microsoft Entra admin center
- •Go to Applications > Enterprise applications
- •Review app registrations and permissions
Identify Required Changes
Determine which applications need modification.
- •Compare against expected configuration
- •Identify risky or non-compliant apps
- •Plan remediation approach
Apply Remediation
Make the necessary changes to application configurations.
- •Update consent settings as needed
- •Modify application permissions
- •Configure app governance policies
Verify Compliance
Confirm applications meet security requirements.
- •Run TrueConfig scan
- •Review any remaining findings
- •Document changes made
Auto-Remediation Available
TrueConfig can automatically fix this control for you. Enable auto-remediation to have this configuration applied and maintained automatically.
Learn about auto-remediationRelated Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial