EntraAnalyzer
Medium

Tenant-wide consent grants

Detects OAuth2 grants with AllPrincipals consent type

Category
Application Security
Default severity
Medium
Rule key
CHECK_WIDE_SCOPE_GRANTS
Last updated

Why this matters

What this means

An application in your tenant has been granted tenant-wide (AllPrincipals) consent. This means an administrator has clicked "Consent for the entire organisation" — the application can act on behalf of any user without individual consent.

Why is it a security risk?

  • If the application is compromised or malicious, it already has the permissions needed to access sensitive data — the "door is already open".
  • Broad scopes like user_impersonation allow the application to read and write data as if it were the logged-in user.
  • Tenant-wide consent is permanent until explicitly revoked — it is easy to forget these grants exist.

Recommended next steps

  1. Go to Microsoft Entra admin center → Enterprise applications → [App name] → Permissions and review the granted scopes.
  2. Determine if the application still needs this level of access. If not, click Revoke permissions.
  3. Consider using admin consent workflows to require approval before future tenant-wide grants.
  4. Regularly audit consent grants using the app consent policies feature.

How to fix it

Review tenant-wide consent grants and remove unnecessary ones.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

  • Directory.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →