CISA.MS.AAD.5.4 - Group owners SHALL NOT be allowed to consent to applications.
Overviewā
This test is deprecated by CISA as of March 2025 and will always be skipped. The content below is retained as a historical archive and will be removed in a future version.
MS.AAD.5.4v1 was removed because Microsoft announced via MC712143 that group owner consent to applications is no longer a configurable setting. The setting has been removed from the product entirely, making the policy moot. See CISA SCuBA Removed Policies ā MS.AAD.5.4v1.
Group owners SHALL NOT be allowed to consent to applications.
Rationale: In M365, group owners and team owners can consent to applications accessing data in the tenant. By requiring consent requests to go through an approval workflow, risk of exposure to malicious applications is reduced.
Remediation action:ā
- In Entra under Identity and Applications, select Enterprise applications.
- Under Security, select Consent and permissions.
- Under Manage, select User consent settings.
- Under Group owner consent for apps accessing data, select Do not allow group owner consent.
- Click Save.
Related linksā
- Entra admin center - Consent and permissions | User consent settings
- CISA Application Registration & Consent - MS.AAD.5.4v1
- CISA ScubaGear Rego Reference
Test Metadataā
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.5.4 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaAppGroupOwnerConsent |
| Tags | CISA, CISA.MS.AAD.5.4, Deprecated, Entra ID Free, MS.AAD, MS.AAD.5.4 |
Sourceā
- Pester test:
tests/cisa/entra/Test-MtCisaAppGroupOwnerConsent.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaAppGroupOwnerConsent.ps1