EntraAnalyzer
Medium

Users can consent to third-party applications

The tenant allows regular users to grant consent to third-party applications, enabling illicit consent grant (phishing) attacks.

Category
External Collaboration
Default severity
Medium
Rule key
CHECK_USER_CONSENT_SETTINGS
Last updated

How to fix it

Restrict user consent to verified publishers with low-impact permissions, or disable user consent entirely and route requests through the admin consent workflow.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

  • Policy.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →