Non-Admin Consented API Permissions

Under this category, I have 3 items:
ENow App Governance Accelerator Data Collector - Professional (which I assume is required to run the site), GraphAggregatorService (aka Microsoft Graph), and MSFT Power Platform (aka Microsoft Power Platform).
I wish I understood better why these show up, and if they impact my score.


Why we perform this check
These apps show up, as they are merely user-consented and not admin-consented.

In an Entra tenant, with default settings, apps with mere user consents and no admin consents indicate applications that people in the organization have added to be able to sign-in to them with their Entra/corporate/organizational/โ€˜Work or Schoolโ€™ accounts. In this case, it is an indicator of shadow IT.

In an entra tenant, with settings that prevent user consent, an admin can also consent to use an app without checking the box for admin consent. However, this would:

  • Allow other users in the tenant to also consent user consent to the app and use the app
  • Not allow admins to require and assign user access, as that only applies to admin-consented apps to avoid having them being used by everyone in the organization (including guests).

In this case, it is an indicator of lacking governance.

What we recommend
We recommend admin-consenting to apps that are used by one or more persons in the organization, then requiring user access, then allowing access to the app for a group and then add members who need access as members of the group.

How it impacts your score
This check influences your score, based on the percentage of user-consented apps, against all apps. The higher the percentage of user-consented apps, the more the score is negatively impacted with a current maximum impact of -7%.