Mandate that administrators give their consent before app usage.

Unless Azure Active Directory functions as an identity provider for external applications, it is advised to prohibit users from using their identity outside of the cloud environment. This is because user profiles hold sensitive information, like phone numbers and email addresses, that could be sold to other third-party entities without needing additional consent from the user.

Impact

This may result in more requests to administrators that have to be fulfilled frequently.

Audit Steps

1. Navigate to Azure Active Directory.
2. Navigate to the Users section.
3. Navigate to the User Settings section.
4. Select the option to Manage how end users launch and view their applications.
5. Make sure that the setting for Users can add gallery apps to My Apps is set to "No".

It is important to note that currently, there is no API/CLI method available to automatically perform a security assessment for this recommendation.

Remediation Steps

1. Navigate to Azure Active Directory.
2. Navigate to the Users section.
3. Navigate to the User Settings section.
4. Select the option to Manage how end users launch and view their applications.
5. Change the setting for Users can add gallery apps to My Apps to "No".

Useful Links

1. https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user- consent-for-applications-using-office-365-apis/
2. https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for- Permissions-in-Azure-Active-Directory.aspx
3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-governance-strategy#gs-1-define-asset-management-and-data-protection- strategy
4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical- systems