EIDSCA.AP08 - Default Authorization Settings - User consent policy assigned for applications.

Overview

Defines if user consent to apps is allowed, and if it is, which app consent policy (permissionGrantPolicy) governs the permissions.

Microsoft recommends to allow to user consent for apps from verified publisher for selected permissions. CISA SCuBA 2.7 defines that all Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications.

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.permissionGrantPolicyIdsAssignedToDefaultUserRole -clike 'ManagePermissionGrantsForSelf*' -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'

Related links

• Open in Graph Explorer
• authorizationPolicy resource type - Microsoft Graph v1.0 | Microsoft Learn
• View in Microsoft Entra admin center

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access TA0005 - Defense Evasion - Stealth TA0006 - Credential Access - Credential Access TA0008 - Lateral Movement - Lateral Movement	T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1528 - Steal Application Access Token	M1017 - User Training M1018 - User Account Management

Test Metadata

Field	Value
Test ID	EIDSCA.AP08
Severity	Medium
Suite	Entra ID SCA
Category	General
PowerShell test	Test-MtEidscaAP08
Tags	EIDSCA, EIDSCA.AP08

Source

• Pester test: tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1
• PowerShell source: powershell/internal/eidsca/Test-MtEidscaAP08.ps1