Part of the 365 / Azure platform’s appeal is it’s ability to integrate with a wide array of useful 3rd-party apps. However, this comes with a dark side – users might download malicious apps and grant consent on behalf of the organization to access company data.
The solution to this is to require admin consent before users can connect any 3rd-party apps to company data living in 365 / Azure. This gives admins the opportunity to vet all apps and identify risks before they become critical problems.
To enable, follow this process:
1. Sign in to portal.azure.com as an admin.
2. Select Azure Active Directory from the left-side menu, then select Enterprise Applications >> Consent and Permissions >> User consent settings.
3. Under User consent for applications, select Do not allow user consent.
4. Done! Users are now blocked from consenting on behalf of the organization. In order to add an app connection, the user will have to reach out to an admin to allow access.
This settings won’t be right for every organization, but I think it’s a good starting point for the sake of security and control. If it ends up being a problem for business, you can go back to the portal at any time and change the setting.