In this blog post I will go through the process of preventing users in your organisation from allowing third party apps to access their Office 365 information, and require future consent operations to be performed by an administrator.
This is a recommended Microsoft action and you may come across an alert within the secure score section of your Azure Portal. The message is as follows:
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. Policy in place: false.
- Login to your Azure Portal (portal.azure.com)
- Locate and click Azure Active Directory
- Click Enterprise applications
4. Click User Settings
5. Switch Users can consent to apps accessing company data on their behalf to No
Users can consent to apps accessing company data on their behalf
If this option is set to yes, then users may consent to allow applications which are not published by Microsoft to access your organisation’s data, if the user also has access to the data. This also means that the users will see these apps on their Access Panels. If this option is set to no, then admins must consent to these applications before users may use them.
6. After selecting No, the following message appears with instructions on managing LinkedIn account connections if required.
There is also a further warning that users can still consent to apps accessing the groups they own. I’ll cover this in step 7 below.
7. Further down you may also wish to disable Users can consent to apps accessing company data for the groups they own or limit to a certain group as show in the second screenshot below
Users can consent to apps accessing company data for the groups they own
If this option is set to yes, then all users who are owners of a group may consent to allow third-party multi-tenant applications to access the data of the groups they own.If this option is set to no, then no user can consent to those application to access the data of the groups they own.If this option is set to limited, then only the members of the group selected can consent to those applications to access the data of the groups they own.
8. After disabling user access, you may wish to setup Admin consent. If this option is set to yes, then users request admin consent to any app that requires access to data they do not have the permission to grant.
If this option is set to no, then users must contact their admin to request to consent in order to use the apps they need.
Users can request admin consent to apps they are unable to consent to:
If this option is set to yes, then users request admin consent to any app that requires access to data they do not have the permission to grant.
If this option is set to no, then users must contact their admin to request to consent in order to use the apps they need.
Select users to review admin consent:
The selected users can review and act on new admin consent requests. Only users with the Global, Application, or Cloud application administrator role can grant admin consent, so only those users will be available for selection. Removing a user from the list of reviewers will not remove their role, so they will retain their admin privileges until their role is explicitly changed.
9. When ready, don’t forget to click the save button
