EIDSCA.CP04 - Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to.
Overview
If this option is set to enabled, then users request admin consent to any app that requires access to data they do not have the permission to grant. If this option is set to disabled, then users must contact their admin to request to consent in order to use the apps they need.
CISA SCuBA 2.7: Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications.
Test script
https://graph.microsoft.com/beta/settings
.values -eq 'true'
Related links
- Open in Graph Explorer
- directorySetting resource type - Microsoft Graph beta | Microsoft Learn
- View in Microsoft Entra admin center
MITRE ATT&CK
| Tactic | Technique | Mitigation |
|---|---|---|
| TA0001 - Initial Access - Initial Access | T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts | M1017 - User Training M1018 - User Account Management M1047 - Audit |
Test Metadata
| Field | Value |
|---|---|
| Test ID | EIDSCA.CP04 |
| Severity | Medium |
| Suite | Entra ID SCA |
| Category | General |
| PowerShell test | Test-MtEidscaCP04 |
| Tags | EIDSCA, EIDSCA.CP04 |
Source
- Pester test:
tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 - PowerShell source:
powershell/internal/eidsca/Test-MtEidscaCP04.ps1