Apps Security - Admin Consent

Question

Good morning, We have a lot of requests to access and read our tenant via third-party applications, these consent requests from administrators are numerous and we lack reliable indicators that can help us grant access to these applications. Next we would like to know if Microsoft has a recommendation or best practice to allow us to securely control access to applications on our tenant. In the event that there are no precise and effective recommendations, is it possible to limit our tenant's read and write access to the application only to the user who requests it or to a group of users. in order not to authorize access to all of our tenants' data to these third-party applications Thank for your support

Answer 1

Microsoft's guide is here: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-consent-requests My two cents: Generally, try to avoid application permissions and only approve delegated. In those cases where application permissions are required, you typically can not limit the data to just a group or group of users. The exception is email permissions - leveraging RBAC can let you scope the app to specific mailboxes or groups: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac There is a chart in that doc on which roles you can scope using the Exchange RBAC assignments. Otherwise, each org is different and your company will have to decide and evaluate which apps and permissions those apps have are allowed and which are not. Note: you can use a script/task to audit all the apps and their "permission levels" https://learningbydoing.cloud/blog/audit-ms-graph-app-role-assignments/ or https://www.youtube.com/watch?v=vO0m5yE3dZA