Skip to main content

lacework-global-507

Profile Applicability

• Level 1

Description

Require administrators to provide consent for the apps before use.

Rationale

Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.

Impact

Can cause additional requests to administrators that need to be fulfilled quite often.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Users
  4. Select User settings
  5. Then Manage how end users launch and view their applications, and ensure that Users can add gallery apps to My Apps is set to No

Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.

Remediation

From Azure Portal

Please note that at this point in time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

  1. From Azure Home select the Portal Menu.
  2. Select Azure Active Directory.
  3. Select Users.
  4. Select User settings.
  5. Select Manage how end users launch and view their applications.
  6. Set Users can add gallery apps to My Apps to No.

References

https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/
https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems