Office Protect Event - User Consented to an App

This event warns you that a user granted consent to an application in Microsoft 365. When a user gives permissions to an external application, the event will trigger.


Application consent can be on behalf of the user itself or made on behalf of the organization, meaning that consent is given to all users in the organization. Consent on behalf of the organization can only be granted by an admin user. 


In the monitoring event, you will be informed on who is the user that consented to an app, what application was consent given to, and if it was applied on behalf of the organization. 


Azure-Registered applications may request to access data such as contact information, email, documents, etc. Either for a single user or for all users (requires an Admin). This makes it a target of choice for the hackers, to impersonate a legitimate application to access user data, as well as credentials. Also, it is also possible that a legitimate application may be compromised, which may lead to user credential leaks. 

We recommend being careful with applications that require admin permission to consent on behalf of all users, as this can potentially expose a very large amount of M365 sensitive data. 


Note that this event will be triggered for each new consent given, meaning that a user may consent on behalf of itself only first, but then on behalf of the organization. This would trigger 2 separate notifications. 



Remediation


If a consent granted needs to be removed or if you want to review the specific permissions granted follow the steps in this article: Review permissions granted to applications.


Note that following the steps documented above only removes the consent given, it will not stop a user from re-consenting to the application


To limit or disable user consent, follow the steps described in this article: Configure how users consent to applications