Attackers don't always need to steal passwords. Sometimes, they trick users into handing over access voluntarily. This tactic, commonly known as OAuth consent phishing relies on malicious apps that look legitimate but secretly request far-reaching permissions. By blocking user consent for unverified apps, you stop attackers from planting backdoors through the front door.
Persistent access: Once granted, malicious apps can siphon mail, files, and calendar data indefinitely.
Stealthy compromise: Unlike stolen credentials, consented apps often go unnoticed by security teams.
Tenant-wide impact: Attackers can scale quickly if multiple users approve the same rogue app.
Go to Entra ID Admin Center.
Navigate: Enterprise Applications > User settings.
Under User consent for applications, select Do not allow user consent.
Enable the Admin consent workflow so legitimate apps can still be approved through IT.
Communicate the change to employees to reduce confusion when consent prompts appear.
Over-blocking legitimate apps: Some business apps need OAuth consent. Without an admin workflow, productivity may stall.
Shadow IT pressure: If the process for approving apps is slow, employees may push back or even find workarounds.
Inconsistent reviews: Approved apps should be reviewed periodically; today’s legitimate app could be compromised tomorrow.
Educate end users
Train staff to recognize suspicious consent requests and report them.
Streamline admin approvals
Set up a fast, transparent process for reviewing and approving app requests.
Regularly audit app permissions
Go to Enterprise Applications > Permissions to spot apps with unusual or excessive privileges.
Enforce publisher verification
Favor apps that are verified by their publisher to reduce the risk of hidden malware.
Blocking user consent for unverified apps shuts down a popular attacker tactic before it gains traction. By pairing this control with admin approvals, user education, and regular audits, you ensure apps in your tenant are trustworthy, verified, and truly needed.