Why it's important to to disable user application consent in Microsoft 365
In a cloud-first world, Microsoft 365 provides incredible flexibility and productivity gains, but also opens new doors for potential security risks. One of the most overlooked yet critical aspects of Microsoft 365 security is user application consent. Allowing users to consent to applications on behalf of your organization can quickly become a serious vulnerability.
In this article, we’ll explore what user consent is, why it should be restricted, and how disabling it helps harden your Microsoft 365 environment against common attack vectors.
1 - What Is User Application Consent ?
User application consent is a feature in Microsoft Entra ID (formerly Azure AD) that allows end users to grant permissions to third-party apps to access organizational data such as email, calendars, contacts, or files stored in OneDrive and SharePoint.
While convenient, this setting gives non-technical users the power to authorize potentially risky access to corporate data, often without fully understanding the implications.
2 - Why You Should Disable It ?
Here are the primary security reasons to disable user consent:
Prevents Consent Phishing Attacks : Consent phishing is a type of attack where a user is deceived into giving permissions to a seemingly legitimate but malicious application. This allows the attacker to access emails, files, and sensitive data without needing a password. By disabling user consent, only administrators can approve app requests, which greatly reduces the risk of such attacks.
Stops Data Leakage via Third-Party Apps : Users might unintentionally grant access to apps that export or replicate sensitive data to external environments. Even well-intentioned productivity tools can become a problem if they are poorly secured or hosted in a jurisdiction with weak data protections. Restricting app consent to admins ensures all applications go through proper vetting and risk assessment.
Aligns with Least Privilege Principles : Giving users blanket authority to consent to apps violates the core security principle of least privilege. By limiting who can grant app permissions, you reduce the risk of privilege escalation or unauthorized data exposure.
3 - Disable user application consent in Microsoft 365
Go to Microsoft Azure then entra ID
Select "Manage" the "Entreprise Applications"
In the right hand menu, select "Consent and Permissions"
Select "Do not allow user Consent"
Click "Save"
You can also use this direct access link to this settings from here : https://portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings
Conclusion
Allowing end users to freely grant application consent in Microsoft 365 introduces significant security risks. Disabling this feature helps protect against consent phishing, prevents unauthorized data access, and ensures better control over your organizational environment.
As part of a zero trust strategy, controlling user consent is not optional, it’s essential.
Thanks
Aymen EL JAZIRI
System Administrator
Modern Workplace Management | End User Computing Specialist | Microsoft Intune | Microsoft SCCM | M365 Suite | Powershell Scripting | Microsoft Graph | ITIL v4 | PMP®
1moThank you Aymen E.
IT Team Lead | System Administrator
1moOn the other hand, it can make it easier for users to connect to websites with a single click, there is an option (Option 2) to limit information disclosure and access only to verified apps
Microsoft MVP | MCT | Modern Workplace & Azure Architect | Microsoft 365 & Intune Expert | Endpoint Security | Enterprise Admin Specialist
1moIt's amazing, my friend! I’ve already done it in my environment.
So clear and helpful for folks working with these systems daily