standard
turbot/azure_cis
Get Involved
Version
Pipeline: 2.13 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
Description
Allow users to provide consent for selected permissions when a request is coming from a verified publisher.
If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID. - Under
Manage, selectEnterprise applications. - Under
Security, selectConsent and permissions. - Under
Manage, selectUser consent settings. - Under
User consent for applications, selectAllow user consent for apps from verified publishers, for selected permissions. - Click
Save.
Default Value
By default, User consent for applications is set to Allow user consent for apps.
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run azure_cis.pipeline.cis_v300_2_13Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = azure_cis.pipeline.cis_v300_2_13 }Params
| Name | Type | Required | Description | Default |
|---|---|---|---|---|
| database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
| notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
| notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
| approvers | list(notifier) | Yes | List of notifiers to be used for obtaining action/approval decisions. | notifier.default |
Outputs
This pipeline has no outputs.
Tags
folder = CIS v3.0.0/2 Identity