Description

'User settings' is default configurations of consent and permissions for all tenant users. External and internal applications can get user profiles containing private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user. It was detected that tenant's default user settings are not limited.

• 

  Recommended Mitigation

  Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of the cloud environment. It is recommended to configure whether users are allowed to consent for applications to access your organization's data to be set to 'Do not allow user consent' or 'Allow user consent for apps from verified publishers'. For more information: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal#configure-user-consent-to-applications