As a consultant, I see in some organizations that administrators are not fully aware of what the consequence of tenant-wide admin consent is. In this blog, I show the danger of using tenant-wide admin consult, but also give examples of how to avoid using it and make using it more secure.
Consent
In Entra ID users and administrators can grant (API) permissions for an application to access protected resources, this is called consent. Consent can be initiated in various ways, for example a user can be prompted when accessing an application and the application requires additional permissions. An Administrator can also pre-consent to avoid confronting users with notifications. Not all rights can be granted by a user, in these cases the user will need consent from the administrator. This can be done using the Admin consent workflow
Tenant wide-admin consent
Tenant-wide admin consent is the nuclear solution for giving enterprise applications permissions in Entra ID. When you grant admin consent permissions to an application, anyone with access to the application also gets these permissions within the application. This may create undesirable situations where users unintentionally gain too many permissions. In the following example, using Microsoft Graph, I demonstrate the consequences and dangers.
1. I connect to Microsoft graph using the following command. I will add the scope “DeviceManagementConfiguration.ReadWrite.All”.
2. When I connect for the first time with Microsoft Graph, I will be asked to grant some permissions. This time I will check the box “Consent on behalf of your organization”
3. Now if you look at the permissions of the application you will see that the permissions are not user consent, but at Admin consent. This means that the entire organization has these permissions when they have access to the application.
4. This in itself would not be a problem, but since new app registrations are available to all users by default (see “Assignment required? -> No), this means that basically everyone has these permissions when using in this case ”Microsoft Graph.” Unless you change “Assignment required” to “Yes”.
5. When I try to log into the Microsoft Graph with a regular user, I don’t get a permission popup. Because of the tenant-wide admin consent everyone in the tenant has permissions to log in with the scope “DeviceManagementConfiguration.ReadWrite.All”. Now everyone within the tenant can log in and make changes in Intune. Which is an unwanted situation.
6. To avoid this, only give authorized users consent by granting consent on behalf of a user. If this is not possible you need to enable “Assignment required” when using “Admin Consent” and assign the Enterprise Application only to the users authorized to use it.
7. If “Assignment required” is enabled and a user who has no privileges on the Enterprise Application tries to log in, that person will see an error message.
Key Takeaways
Be carefull with tenant-wide admin consent! Check for applications with admin-consent and have “Assignment required” turned off.
- If you decide to use tenant-wide admin consent for an Enterprise Application make sure that “Assignment Required” has been enabled.
- Even better is to grant consent on behalf of specific users, this will allow only that specific user(s) to use the application with that right.
In my next blog, I will show you how to assign consent on behalf of a single user using powershell.
If you have any questions or comments about this blog, please let me know!