Issue: Users may encounter a "This app may be risky" warning when attempting to use an Azure Active Directory (now Microsoft Entra ID) integrated application, even after the application's publisher has completed the publisher verification process (indicated by a blue badge).
Description:
The presence of the "This app may be risky" warning after an application has achieved publisher verification can be a source of confusion. It is crucial to understand that publisher verification and the "This app may be risky" warning are distinct and separate security features within Microsoft's ecosystem. They address different aspects of application trust and security.
-
Publisher Verification (Blue Badge):
- Purpose: This process confirms that an application originates from a legitimate and verified publisher. Its primary function is to remove the "unverified publisher" warning, assuring users of the application's source identity.
- Outcome: Once the blue badge is displayed, users can trust that the application's developer has been validated by Microsoft.
-
"This App May Be Risky" Warning:
- Purpose: This warning is a dynamic security alert generated based on various factors related to the application's requested permissions and the client organization's security posture. It is not directly negated by publisher verification.
-
Triggers: This warning is typically triggered by one or more of the following:
-
Scope of Requested Permissions: Applications requesting high-privilege, sensitive, or broad access to user data (e.g.,
Mail.ReadWrite,Directory.ReadWrite.All) are more likely to be flagged as potentially risky. - Client Organization's Security Policies: The Microsoft 365 or Azure AD (Microsoft Entra ID) security policies configured by the client's administrators can dictate which permissions require administrative consent or are deemed risky within their specific tenant.
- Admin Consent Requirements: Certain application permissions are inherently designated by Microsoft as requiring administrator consent, irrespective of publisher verification or tenant-level user consent settings. This is often part of Microsoft's risk-based step-up consent mechanism.
-
Scope of Requested Permissions: Applications requesting high-privilege, sensitive, or broad access to user data (e.g.,
Resolution:
It is normal behavior for the "This app may be risky" warning to persist even for applications with a verified publisher badge. This does not indicate a flaw in the application's functionality or the publisher verification process.
To resolve this warning and allow users to access the application, the client organization's administrator must grant consent for the application. This process allows the administrator to review the requested permissions and approve them on behalf of all users within their organization.
For detailed information regarding administrator consent requirements and related error codes (e.g., AADSTS65001), please refer to Microsoft's official documentation on Admin Consent in Microsoft Entra ID.
Updated
Comments
0 comments
Please sign in to leave a comment.