💼 Management Samenvatting
Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
✓ Windows
Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.
PowerShell Modules Vereist
Primary API: Graph
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Dit regelen configureert gebruikerstoestemming restricted via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.
Vereisten
m365
Implementatie
Gebruik PowerShell-script user-consent-restricted.ps1 (functie Invoke-Monitoring) – Monitoren.
monitoring
Gebruik PowerShell-script user-consent-restricted.ps1 (functie Invoke-Monitoring) – Controleren.
Remediatie
Gebruik PowerShell-script user-consent-restricted.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance en Auditing
Beleid documentatie
Compliance & Frameworks
- CIS M365: Control 18.9.19.2 (L1) - CIS Security Benchmark aanbevelingen
- BIO: 16.01 - BIO Baseline Informatiebeveiliging Overheid - 16.01 - Gebeurtenissen logging en audittrails
- ISO 27001:2022: A.12.4.1 - ISO 27001:2022 - Gebeurtenissen logging en audittrails
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
User Consent Restricted
.DESCRIPTION
Ensures users cannot consent to applications accessing company data.
Only admins should be able to grant consent to applications.
.NOTES
Filename: user-consent-restricted.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\user-consent-restricted.ps1 -Monitoring
Check if user consent is restricted
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory = $false)]
[switch]$Monitoring,
[Parameter(Mandatory = $false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "User Consent Restricted" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
User Consent Restricted
.DESCRIPTION
Ensures users cannot consent to applications accessing company data.
Only admins should be able to grant consent to applications.
.NOTES
Filename: user-consent-restricted.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\user-consent-restricted.ps1 -Monitoring
Check if user consent is restricted
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "User Consent Restricted" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking user consent settings..." -ForegroundColor Gray
$authPolicy = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy"
# Check if users can consent to apps
$userConsentEnabled = $authPolicy.defaultUserRolePermissions.permissionGrantPoliciesAssigned
$result = @{
isCompliant = $false
currentSetting = $userConsentEnabled
}
if ($userConsentEnabled -contains "ManagePermissionGrantsForSelf.microsoft-user-default-legacy") {
Write-Host " [FAIL] User consent: ENABLED (not secure)" -ForegroundColor Red
Write-Host " Users can consent to apps accessing company data" -ForegroundColor Red
}
else {
Write-Host " [OK] User consent: RESTRICTED (secure)" -ForegroundColor Green
Write-Host " Only admins can consent to apps" -ForegroundColor Green
$result.isCompliant = $true
}
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red
Write-Host "Restrict user consent to prevent data exposure" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" -ErrorAction Stop -NoWelcome
Write-Host "Restricting user consent..." -ForegroundColor Gray
$policyUpdate = @{
defaultUserRolePermissions = @{
permissionGrantPoliciesAssigned = @()
}
}
Invoke-MgGraphRequest -Method PATCH `
-Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy" `
-Body ($policyUpdate | ConvertTo-Json -Depth 10)
Write-Host "`n[OK] User consent restricted" -ForegroundColor Green
Write-Host "Users can no longer consent to applications" -ForegroundColor Cyan
Write-Host "Only admins can grant app permissions" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking user consent settings..." -ForegroundColor Gray
$authPolicy = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy"
# Check if users can consent to apps
$userConsentEnabled = $authPolicy.defaultUserRolePermissions.permissionGrantPoliciesAssigned
$result = @{
isCompliant = $false
currentSetting = $userConsentEnabled
}
if ($userConsentEnabled -contains "ManagePermissionGrantsForSelf.microsoft-user-default-legacy") {
Write-Host " [FAIL] User consent: ENABLED (not secure)" -ForegroundColor Red
Write-Host " Users can consent to apps accessing company data" -ForegroundColor Red
}
else {
Write-Host " [OK] User consent: RESTRICTED (secure)" -ForegroundColor Green
Write-Host " Only admins can consent to apps" -ForegroundColor Green
$result.isCompliant = $true
}
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red
Write-Host "Restrict user consent to prevent data exposure" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
User Consent Restricted
.DESCRIPTION
Ensures users cannot consent to applications accessing company data.
Only admins should be able to grant consent to applications.
.NOTES
Filename: user-consent-restricted.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\user-consent-restricted.ps1 -Monitoring
Check if user consent is restricted
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "User Consent Restricted" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking user consent settings..." -ForegroundColor Gray
$authPolicy = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy"
# Check if users can consent to apps
$userConsentEnabled = $authPolicy.defaultUserRolePermissions.permissionGrantPoliciesAssigned
$result = @{
isCompliant = $false
currentSetting = $userConsentEnabled
}
if ($userConsentEnabled -contains "ManagePermissionGrantsForSelf.microsoft-user-default-legacy") {
Write-Host " [FAIL] User consent: ENABLED (not secure)" -ForegroundColor Red
Write-Host " Users can consent to apps accessing company data" -ForegroundColor Red
}
else {
Write-Host " [OK] User consent: RESTRICTED (secure)" -ForegroundColor Green
Write-Host " Only admins can consent to apps" -ForegroundColor Green
$result.isCompliant = $true
}
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red
Write-Host "Restrict user consent to prevent data exposure" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" -ErrorAction Stop -NoWelcome
Write-Host "Restricting user consent..." -ForegroundColor Gray
$policyUpdate = @{
defaultUserRolePermissions = @{
permissionGrantPoliciesAssigned = @()
}
}
Invoke-MgGraphRequest -Method PATCH `
-Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy" `
-Body ($policyUpdate | ConvertTo-Json -Depth 10)
Write-Host "`n[OK] User consent restricted" -ForegroundColor Green
Write-Host "Users can no longer consent to applications" -ForegroundColor Cyan
Write-Host "Only admins can grant app permissions" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" -ErrorAction Stop -NoWelcome
Write-Host "Restricting user consent..." -ForegroundColor Gray
$policyUpdate = @{
defaultUserRolePermissions = @{
permissionGrantPoliciesAssigned = @()
}
}
Invoke-MgGraphRequest -Method PATCH `
-Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy" `
-Body ($policyUpdate | ConvertTo-Json -Depth 10)
Write-Host "`n[OK] User consent restricted" -ForegroundColor Green
Write-Host "Users can no longer consent to applications" -ForegroundColor Cyan
Write-Host "Only admins can grant app permissions" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
User Consent Restricted
.DESCRIPTION
Ensures users cannot consent to applications accessing company data.
Only admins should be able to grant consent to applications.
.NOTES
Filename: user-consent-restricted.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\user-consent-restricted.ps1 -Monitoring
Check if user consent is restricted
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "User Consent Restricted" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking user consent settings..." -ForegroundColor Gray
$authPolicy = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy"
# Check if users can consent to apps
$userConsentEnabled = $authPolicy.defaultUserRolePermissions.permissionGrantPoliciesAssigned
$result = @{
isCompliant = $false
currentSetting = $userConsentEnabled
}
if ($userConsentEnabled -contains "ManagePermissionGrantsForSelf.microsoft-user-default-legacy") {
Write-Host " [FAIL] User consent: ENABLED (not secure)" -ForegroundColor Red
Write-Host " Users can consent to apps accessing company data" -ForegroundColor Red
}
else {
Write-Host " [OK] User consent: RESTRICTED (secure)" -ForegroundColor Green
Write-Host " Only admins can consent to apps" -ForegroundColor Green
$result.isCompliant = $true
}
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red
Write-Host "Restrict user consent to prevent data exposure" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" -ErrorAction Stop -NoWelcome
Write-Host "Restricting user consent..." -ForegroundColor Gray
$policyUpdate = @{
defaultUserRolePermissions = @{
permissionGrantPoliciesAssigned = @()
}
}
Invoke-MgGraphRequest -Method PATCH `
-Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy" `
-Body ($policyUpdate | ConvertTo-Json -Depth 10)
Write-Host "`n[OK] User consent restricted" -ForegroundColor Green
Write-Host "Users can no longer consent to applications" -ForegroundColor Cyan
Write-Host "Only admins can grant app permissions" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
Risico zonder implementatie
Risico zonder implementatie
High: No auth tracking.
Management Samenvatting
Schakel in audit logging.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE