PR.AC-4 / A.9.4.1 / CIS-5.4 NIST Cybersecurity Framework v1.1

Do you control which third-party OAuth apps users can grant access to (consent phishing defence)?

Demonstrate that the organization enforces technical and administrative controls that prevent unauthorized users from granting third-party OAuth applications access to organizational resources and data.

Description

What this control does

This control restricts the ability of users to authorize third-party OAuth applications to access organizational data and resources, protecting against consent phishing attacks where malicious actors trick users into granting OAuth permissions to attacker-controlled apps. Organizations implement allowlists of pre-approved OAuth applications, risk-based consent policies, or administrator-only consent workflows that prevent users from independently granting access to unvetted applications. This defense is critical in cloud environments where OAuth tokens can provide persistent access to email, files, and collaboration platforms without requiring credential theft.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Attackers deploy malicious OAuth applications that harvest credentials, email, or files after users grant consent through social engineering
Legitimate but vulnerable third-party applications receive excessive permissions and become pivot points for data exfiltration
Shadow IT proliferates as users independently authorize applications without security review, creating unmanaged attack surface
OAuth tokens granted to compromised or malicious applications persist beyond password resets, maintaining attacker access
Data loss occurs when users grant third-party apps permissions to read, modify, or delete organizational content in cloud services
Compliance violations result from unvetted applications accessing regulated data without proper vendor risk assessment or data processing agreements

Testing procedure

How an auditor verifies this control

Inventory all identity platforms supporting OAuth integrations (Microsoft 365, Google Workspace, Okta, Azure AD) and document which systems are in scope.
Review tenant-level OAuth consent policies and extract configuration settings governing user consent permissions, admin consent requirements, and application restrictions.
Examine any allowlists or blocklists of OAuth applications and verify whether users can consent to applications outside approved lists.
Select a sample of 10-15 OAuth applications currently authorized in the environment and verify each was subject to appropriate approval workflow per policy.
Attempt to simulate user consent to an unapproved test OAuth application using a standard user account to validate technical enforcement.
Review audit logs for OAuth consent events over the past 90 days and identify any instances of user-initiated consent that bypassed controls.
Interview identity administrators to confirm processes for reviewing OAuth application requests, risk assessment criteria, and periodic access reviews.
Verify that monitoring and alerting mechanisms exist to detect anomalous OAuth consent activity or newly registered applications.

Evidence required Configuration exports from identity provider showing OAuth consent policies, risk-based consent settings, and user permission restrictions. Screenshots or policy documents demonstrating allowlist configurations, admin consent workflows, and application registration requirements. Audit logs showing OAuth consent events, application authorizations, and any administrative approvals or denials over the review period.

Pass criteria Technical controls are configured to prevent standard users from granting consent to non-approved third-party OAuth applications, either through administrator-only consent requirements or enforced allowlists, with evidence of consistent enforcement and no unauthorized consent grants in the sample period.