EIDSCA.AP09 - Default Authorization Settings - Allow user consent on risk-based apps.

Overview

Indicates whether user consent for risky apps is allowed. For example, consent requests for newly registered multi-tenant apps that are not publisher verified and require non-basic permissions are considered risky.

Configure risk-based step-up consent - Microsoft Entra ID - Microsoft Learn

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.allowUserConsentForRiskyApps -eq 'false'

Related links

• Open in Graph Explorer
• authorizationPolicy resource type - Microsoft Graph v1.0 | Microsoft Learn
• View in Microsoft Entra admin center

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access TA0005 - Defense Evasion - Stealth TA0006 - Credential Access - Credential Access TA0008 - Lateral Movement - Lateral Movement	T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1528 - Steal Application Access Token	M1017 - User Training M1018 - User Account Management

Test Metadata

Field	Value
Test ID	EIDSCA.AP09
Severity	Medium
Suite	Entra ID SCA
Category	General
PowerShell test	Test-MtEidscaAP09
Tags	EIDSCA, EIDSCA.AP09

Source

• Pester test: tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1
• PowerShell source: powershell/internal/eidsca/Test-MtEidscaAP09.ps1