Check provider logo

Entra tenant does not allow users to consent to non-verified applications

entra_policy_user_consent_for_verified_apps

Severityhigh
Serviceentra
by Prowler
identity-accesse3

Microsoft Entra authorization policy for the default user role is assessed for assignment of the user-consent policy microsoft-user-default-legacy. Its presence means users can self-consent to app permissions; its absence indicates consent is restricted (e.g., only verified publishers or low-impact scopes).

Risk

Broad self-consent enables OAuth consent phishing and rogue apps to gain tokens to tenant data (confidentiality), request write scopes to change resources (integrity), and persist via refresh tokens after password changes. Mis-scoped grants can drive lateral movement and privilege escalation.

Run this check with Prowler CLI

prowler azure --checks entra_policy_user_consent_for_verified_apps

Run in Prowler Cloud

Recommendation

Enforce least privilege for app consent:

  • Remove microsoft-user-default-legacy
  • Allow consent only for verified publishers and low-impact permissions (e.g., microsoft-user-default-low)
  • Require admin approval for higher-risk scopes via the admin consent workflow
  • Periodically review and revoke unused consent grants

Remediation

CLI

Update-MgPolicyAuthorizationPolicy -BodyParameter @{permissionGrantPolicyIdsAssignedToDefaultUserRole=@('ManagePermissionGrantsForSelf.microsoft-user-default-low')}

Terraform
Other
  1. Sign in to Microsoft Entra admin center as Global Administrator or Privileged Role Administrator
  2. Go to Identity > Applications > Enterprise applications
  3. Select Consent and permissions > User consent settings
  4. Under User consent for applications, select "Allow user consent for apps from verified publishers, for selected permissions"
  5. Click Save

Source Code

Resource Type

NotDefined

References