Skip to main content

Version: 2.0.1 (preview)

Default Authorization Settings - User consent policy assigned for applications

Defines if user consent to apps is allowed, and if it is, which app consent policy (permissionGrantPolicy) governs the permissions.


Name	permissionGrantPolicyIdsAssignedToDefaultUserRole
Control	Default Authorization Settings
Description	Manages authorization settings in Entra ID (Azure AD)
Severity	High

How to fix

Details of configuration item


Recommendation	Microsoft recommends to allow to user consent for apps from verified publisher for selected permissions. CISA SCuBA 2.7 defines that all Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications.
Configuration	policies/authorizationPolicy
Setting	`permissionGrantPolicyIdsAssignedToDefaultUserRole -clike 'ManagePermissionGrantsForSelf*'`
Recommended Value	'ManagePermissionGrantsForSelf.microsoft-user-default-low'
Default Value	ManagePermissionGrantsForSelf.microsoft-user-default-legacy
Graph API Docs	authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph Explorer	Open in Graph Explorer

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access TA0005 - Defense Evasion - Defense Evasion TA0006 - Credential Access - Credential Access TA0008 - Lateral Movement - Lateral Movement	T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1528 - Steal Application Access Token	M1017 - User Training M1018 - User Account Management

How to fix
- Details of configuration item
MITRE ATT&CK