Consequence of tenant-wide admin consent

      No Comments on Consequence of tenant-wide admin consent

As a consultant, I see in some organizations that administrators are not fully aware of what the consequence of tenant-wide admin consent is. In this blog, I show the danger of using tenant-wide admin consult, but also give examples of how to avoid using it and make using it more secure.

Consent

In Entra ID users and administrators can grant (API) permissions for an application to access  protected resources, this is called consent. Consent can be initiated in various ways, for example a user can be prompted when accessing an application and the application requires additional permissions. An Administrator can also pre-consent to avoid confronting users with notifications. Not all rights can be granted by a user, in these cases the user will need consent from the administrator. This can be done using the Admin consent workflow

Tenant wide-admin consent

Tenant-wide admin consent is the nuclear solution for giving enterprise applications permissions in Entra ID. When you grant admin consent permissions to an application, anyone with access to the application also gets these permissions within the application. This may create undesirable situations where users unintentionally gain too many permissions. In the following example, using Microsoft Graph, I demonstrate the consequences and dangers.

1. I connect to Microsoft graph using the following command. I will add the scope “DeviceManagementConfiguration.ReadWrite.All”.

2. When I connect for the first time with Microsoft Graph, I will be asked to grant some permissions. This time I will check the box “Consent on behalf of your organization”

3. Now if you look at the permissions of the application you will see that the permissions are not user consent, but at Admin consent. This means that the entire organization has these permissions when they have access to the application.

4. This in itself would not be a problem, but since new app registrations are available to all users by default (see “Assignment required? -> No), this means that basically everyone has these permissions when using in this case ”Microsoft Graph.” Unless you change “Assignment required” to “Yes”.

5. When I try to log into the Microsoft Graph with a regular user, I don’t get a permission popup. Because of the tenant-wide admin consent everyone in the tenant has permissions to log in with the scope “DeviceManagementConfiguration.ReadWrite.All”. Now everyone within the tenant can log in and make changes in Intune. Which is an unwanted situation.

6. To avoid this, only give authorized users consent by granting consent on behalf of a user. If this is not possible you need to enable “Assignment required” when using “Admin Consent” and assign the Enterprise Application only to the users authorized to use it.

7. If “Assignment required” is enabled and a user who has no privileges on the Enterprise Application tries to log in, that person will see an error message.

Key Takeaways

Be carefull with tenant-wide admin consent! Check for applications with admin-consent and have “Assignment required” turned off.

In my next blog, I will show you how to assign consent on behalf of a single user using powershell.

If you have any questions or comments about this blog, please let me know!

Leave a Reply

Your email address will not be published. Required fields are marked *