On Day 5 of Cybersecurity awareness month, learn to conceal your organization by blocking user consent to suspicious applications. Stay tuned for more blogs in Office 365 Cybersecurity blog series.

Have you ever heard about the illicit grant consent attack in Microsoft 365? It’s a consent phishing attack where a malicious attacker creates an Azure-registered application asking for basic permission such as reading email address or extensive permissions like accessing OneDrive. Users in Office 365 who are unaware of this cruel strategy fall into this trap, that leads to compromise and theft of valuable organizational data.

Sadly, MFA and other basic security methods will no longer protect the organization against these types of attacks, leaving them vulnerable to severe security risks.

We have an illusion of security; we don’t have security!

– Issac Yeffet.

It is evident that email phishing is targeting many Microsoft 365 organizations every year. However, some enterprises are falling prey to an emerging scam, consent phishing attack.

Do you know that O365 Admins are the ones who allow data leakages?

As we all know, Microsoft usually provides numerous hidden security configurations that help to safeguard enterprise data. Despite this, some critical default settings aren’t configured as expected according to the admins’ security preferences.

As a result, attackers can cleverly enter your organization by bypassing MFA and other basic security configurations in your Office 365. Hence, admins should keep an eye on default settings and check whether those settings restrict users’ access to O365 data.

Risks of Installing an OAuth 2.0 Supported Third-Party Application

Third-party applications can highly scale our workflow and time management to a greater extent. When an O365 user adds an external application that supports OpenID connect or OAuth 2.0 frameworks, it may ask for consent to read, write permissions, document access, email address, etc.

However, some suspicious applications will use that privilege and ask for access to all your sensitive data via the prompt below. Unknowingly, a poor user hits ‘Accept’ and agrees to all permission requests, allowing the vicious app to steal sensitive information that provides more opportunities for an attacker to access it.

App permission requested
App permission requested

By default, Microsoft has ‘Allowed users consent for apps’ they want to access. An admin needs to block or control this setting to prevent severe security damage and enhance application security. Admin can manage the user consent to apps using the following methods.

You must be the global administrator or privileged administrator to manage the user consent for third-party applications. Please follow the instructions below to block user consent settings.

  1. Sign in to the Azure portal.
  1. Then, select ‘Azure Active Directory’ in the LHS of the Microsoft Azure portal.
  1. Navigate to the following path: ‘Enterprise Applications > Consent and Permissions > User Consent Settings’.
  1. Then, select the ‘Do not allow user consent’ setting to block the users from using all the applications they want to access.

Block user consent to apps
Block user consent to apps

Wait, you haven’t blocked all the doors that an attacker can enter through malicious applications. You have just removed the user consent to external apps. However, users are still allowed to consent to apps accessing their O365 groups or teams data.

So, enable the below shown ‘Do not allow groups owner consent’ setting to completely block the app consent permissions for groups that the user owns.

Block group consent to apps
Block group consent to apps

As a precaution against severe security risks from suspicious third-party applications, Microsoft provides a setting that only allows Microsoft-certified apps from verified publishers. If you opt for the ‘Allow user consent for apps from verified publishers for selected permissions’ option, you can set custom permissions and block users from consenting to an application from a non-verified publisher.

Currently, admins can define a set of delegated permissions under the ‘Low Impact‘ level, whereas ‘Medium’ and ‘High’ levels are in preview mode.

Add low impact permissions
Add low impact permissions

Once the user consent for apps is blocked, a user will have no right to provide consent to an app they try to access. Therefore, admins can enable ‘Admin Consent Workflow’ settings to securely grant access to the applications.

Also, admins can set a reviewer to check and approve those admin consent requests to prevent any security damages. So, follow the below steps to enable the ‘Admin Consent Workflow’ settings.

  1. Sign into the Azure portal.
  1. Navigate to the Azure Active Directory > Enterprise Applications.
  1. Under Manage, click User Settings. Then select ‘Yes’ for the ‘User can request admin consent to apps they are unable to consent to’.
  1. Also, you can configure the users, groups, roles that will be delegated as reviewers and other settings based on your O365 organization’s security preference.

Enable admin consent workflow
Enable admin consent workflow

Once the admin consent workflow has been created, users can only request admin approval for an application.

Need admin approval to block user consent to apps
Need admin approval

Admins can also create ‘Custom app consent policies’ via Microsoft Graph PowerShell to approve app consent requests. They can set several conditions they want to include and/or exclude, permission type, client application ids to match with, and more granularly in their consent policies.

Data security will be compromised easily through consent phishing attacks, no matter if you enable multi-factor authentication or other authentication methods. Therefore, you must manage and control user consent to apps to restrict the attackers from accessing your organization’s data.

Unfortunately, this is not just a doorstep to obtaining detailed statistics on users’ permitted applications. Yes, native reporting or PowerShell doesn’t provide an efficient way to get all the desired application reports. You can get the stats only after it sucks your entire time.

But no more waste of time! AdminDroid provides a more detailed and granular view of the applications that users have granted consent to access their Microsoft 365 data. Let’s explore the range of reports it offers.

Keep Your Microsoft 365 Secure with AdminDroid’s Application Monitoring!

The ‘Consent to Applications’ report offers a transparent and comprehensive overview of user-consented applications, including the application name, the users who have granted permissions, consented time, and more.

Secondly, the ‘OAuth Permission Granted Applications’ report allows you to identify all the OAuth applications to which the users have granted permissions in your M365 tenant. It includes the details such as the application name, the user who granted the permissions, consent time, and the result status.

User Consented OAuth Applications
User Consented OAuth Applications

With these reports, AdminDroid free Azure AD auditing tool helps you thoroughly understand the Microsoft 365 landscape within your organization. It further deepens your insights into the Azure AD applications used within Microsoft 365 through the below additional reports.

  • Added Applications
  • Updated Applications
  • Deleted Applications
  • App Role Assignments
  • Service Principal Changes and more.

AdminDroid provides all these 120+ Azure AD reports through a single, easy-to-navigate interface to simplify extracting deep organizational insights. Additionally, with its 30+ visually appealing dashboards, you can explore every aspect of your organization’s Microsoft 365 activities.

Microsoft 365 User Activities Dashboard
Microsoft 365 User Activities Dashboard

So, why do you stick to the traditional, time-consuming methods when AdminDroid can simplify your Azure AD management?

AdminDroid – a one-stop solution for auditing and reporting on Azure AD, saving your valuable time and improving your organization’s security”.

I hope this blog will help you find a simple and very secure way to stay away from the malicious phishing apps and attacks that are rapidly emerging these days!