Bug with MS.AAD.5.2v1 - "Only administrators SHALL be allowed to consent to applications."

[sgendron50]

🐛 Summary

What's wrong? Please be specific.

In the report, MS.AAD.5.2v1 is displaying "Fail", however, I've verified in Azure Portal --> Enterprise Apps --> Consent & Permissions, that "User consent for applications" is set to "Do not allow user consent". I've flipped it on and off, and ran the report again, but it still fails with:

1 authorization policies found that allow non-admin users to consent to third-party applications:
authorizationPolicy

Steps to reproduce the behavior:

Invoke-SCuBA -ProductNames aad

Expected behavior

I expected that 5.2 would pass.

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.

[buidav]

@tkol2022

[tkol2022]

@sgendron50 Thanks for reporting this. We are starting to see if we can re-produce it. @dagarwal-mitre

• What type of tenant license do you have? E5, G5, G3, etc.
• Is this a new problem?
• Do you see any error messages in the terminal when running ScubaGear?

[sgendron50]

@tkol2022 - We have an E5 license. I can't tell you if this is a new problem because we just used this for the first time. No, no error messages were displayed in the terminal. Let me know if there is anything else I can provide to assist.

[amandaw33]

We similarly hit this and similarly to @sgendron50 in Entra we do have user consent disabled, but over in admin center --> settings --> org settings --> services --> user consent to apps is checked, but I get an error trying to uncheck it (I thought I'd uncheck it to just stay consistent). "We couldn't save your changes. Close and reopen this setting to try again"

Googling hasn't led me to how this setting interacts or may be overridden by the Entra setting.

[DanielWahlgren]

We hit it aswell, and just started using it, so can't tell if it is new or not. We have E5 licenses, and have configured the settings seemingly correct in Entra. We were also unable to disable the setting in admin center like @amandaw33 pointed out.

Thank you for making this tool avaliable to the public.

[tkol2022]

Thanks to everyone that reported and responded. Turns out that MS added some data to the API output which broke the policy check logic in the tool. The fix #1043 is currently in review so look for that soon.

[tkol2022]

We hit it aswell, and just started using it, so can't tell if it is new or not. We have E5 licenses, and have configured the settings seemingly correct in Entra. We were also unable to disable the setting in admin center like @amandaw33 pointed out.

Thank you for making this tool avaliable to the public.

Happy to know that people are using it! Appreciate the feedback.

[tkol2022]

FYI - The fix for this has been merged into the main branch. You can download the zip file from main if you want to test it - see screenshot below. It will also be included in our upcoming official release bundle.