This chapter covers app consent policies and admin consent in Microsoft Entra ID, critical for controlling how applications access your organization's data. Understanding these mechanisms is essential for the MS-102 exam, particularly in the Identity Access domain (Objective 2.3). Approximately 15-20% of exam questions touch on app permissions, consent settings, and related policies. You will learn the technical underpinnings of user and admin consent, how to configure consent policies, and how to audit and manage permissions to protect your tenant.
Jump to a section
Imagine a company where employees frequently need to purchase software or services from external vendors. Without any policy, each employee could sign up for a free trial or buy a subscription using their own credit card, potentially exposing the company to unauthorized charges or security risks. To control this, the company issues a corporate credit card that only managers can approve for use. When an employee wants to buy something, they submit a request to their manager. If approved, the manager uses the corporate card to complete the purchase, and the charge is recorded centrally. Similarly, in Microsoft Entra ID, users can consent to apps accessing organizational data, but this can lead to oversharing. Admin consent is like the corporate card: administrators can grant consent for the entire organization, bypassing individual user prompts. App consent policies are like the rules for using the corporate card: you can specify which apps are allowed, what permissions they can request, and who can approve. Just as the company sets spending limits and approved vendors, administrators configure policies to allow or block specific permissions, ensuring that only trusted apps can access sensitive data. The mechanic is that when an app requests permissions, the system checks the policy first: if the request matches an allowed pattern, consent is granted silently; if not, the user is blocked or prompted to request admin approval. This mirrors the corporate card workflow: the card is only used when the request is within policy and approved by an authorized person.
What Are App Consent Policies and Admin Consent?
App consent policies and admin consent are mechanisms in Microsoft Entra ID that govern how applications can access organizational data. When an application requests permissions (e.g., to read user profiles, send mail, or access SharePoint sites), the system must decide whether to allow that access. There are two primary models: - User consent: An individual user can grant permissions to an app, typically during sign-in. This is suitable for low-risk permissions but can lead to oversharing if not controlled. - Admin consent: An administrator grants consent on behalf of the entire organization. This is required for high-risk permissions (e.g., reading all user profiles, accessing mailboxes) and ensures centralized control.
App consent policies allow administrators to define what permissions users can consent to and under what conditions. These policies are part of the broader Identity Governance framework.
How Consent Works Internally
When a user authenticates to an app using OAuth 2.0, the app requests specific permissions (scopes) from the Microsoft identity platform. The consent flow proceeds as follows:
1. The app redirects the user to the Microsoft Entra ID authorize endpoint with the requested scopes. 2. The user signs in, and Microsoft Entra ID checks whether the user has already consented to the requested permissions. 3. If not, Microsoft Entra ID evaluates the app consent policy to determine if the user is allowed to consent. - If the policy allows user consent for the requested permissions, the user sees a consent prompt and can approve. - If the policy blocks user consent, the user sees an error message indicating that admin consent is required. 4. If admin consent is required, the app must be granted consent by an administrator. The admin can use the admin consent endpoint or the Azure portal to grant consent.
Key Components and Defaults
- Permission types:
- Delegated permissions: The app acts on behalf of the signed-in user. The app can access only what the user can access.
- Application permissions: The app acts as itself (no signed-in user). These are high-risk permissions (e.g., read all mail in all mailboxes).
- Consent types:
- Static consent: Specified at app registration; permissions are requested upfront.
- Dynamic consent: Requested at runtime using the scope parameter; allows incremental consent.
- Default user consent setting: In new tenants, user consent is allowed for all delegated permissions. This is a security risk.
- Admin consent required: For application permissions and high-risk delegated permissions (e.g., Mail.ReadWrite, User.Read.All).
Configuring App Consent Policies
App consent policies are configured in the Microsoft Entra admin center under Enterprise applications > Consent and permissions > User consent settings. There are three options:
- Allow user consent for apps: Users can consent to any permission (default).
- Do not allow user consent: Users cannot consent; all consent must be admin consent.
- Allow user consent for apps from verified publishers, for selected permissions: This is the recommended setting. You can define a policy that specifies which permissions are allowed (e.g., low-risk permissions like openid, profile, email, User.Read).
You can also create custom app consent policies using PowerShell or Microsoft Graph. For example, using the Microsoft Graph PowerShell SDK:
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
$params = @{
displayName = "Allow low-risk permissions"
description = "Allow user consent for basic profile and email permissions"
conditions = @{
clientApplications = @{
includeAll = $true
}
permissions = @{
includePermissionNames = @("openid", "profile", "email", "User.Read")
}
}
includeAllApplications = $true
}
New-MgPolicyAppConsentPolicy -BodyParameter $paramsAdmin Consent Workflow
When an app requires admin consent, an administrator can grant it via: - Azure portal: Navigate to Enterprise applications > select the app > Permissions > Grant admin consent. - Admin consent endpoint: Use a URL like:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={app-id}&state=12345&redirect_uri={redirect-uri}Microsoft Graph: Use the POST /oauth2/v2.0/adminconsent endpoint.
Granting admin consent means that all users in the organization can use the app with the requested permissions. It cannot be partially granted; you must accept all requested permissions or none.
Auditing and Monitoring
To track consent activity, use:
- Microsoft Entra audit logs: Look for activities like "Consent to application" or "Add app role assignment to service principal".
- Microsoft 365 Defender: Alerts for risky consent grants.
- PowerShell: Use Get-AzureADAuditDirectoryLogs to retrieve consent events.
Interaction with Related Technologies
Conditional Access: Can enforce policies for app usage, but does not replace consent policies. For example, you can require multi-factor authentication when using an app that has been consented.
Privileged Identity Management (PIM): Can require approval for admin consent to high-risk apps.
Microsoft Defender for Cloud Apps: Can detect anomalous app behavior and revoke consent.
Example: Configuring a Policy to Block User Consent for High-Risk Permissions
Assume you want to allow user consent only for basic profile and email permissions, and block everything else. You would:
1. Set user consent to "Allow user consent for apps from verified publishers, for selected permissions".
2. Create a policy that includes only openid, profile, email, User.Read.
3. Any app requesting Mail.Read or Files.Read.All will require admin consent.
This policy can be enforced across all apps or specific apps.
Common Pitfalls
Overly permissive default: Many organizations never change the default user consent setting, leaving them vulnerable to consent phishing attacks.
Not reviewing consented apps: Apps with excessive permissions can persist unnoticed.
Misunderstanding delegated vs. application permissions: Application permissions always require admin consent, but delegated permissions for high-risk scopes also require admin consent if configured.
Exam-Relevant Numbers and Defaults
Default user consent setting: Allow user consent for apps (all permissions).
Admin consent required for: Application permissions, and delegated permissions that are classified as requiring admin consent (e.g., Mail.ReadWrite, User.Read.All).
Permission classification: Microsoft Entra ID classifies permissions into low, medium, high risk. Only low-risk permissions can be included in user consent policies.
Maximum number of app consent policies: 100 per tenant.
Grant admin consent via URL: https://login.microsoftonline.com/{tenant-id}/adminconsent.
Verification Commands
To check current user consent settings:
Get-AzureADMSAuthorizationPolicy | Select-Object DisplayName, UserConsentSettingsTo list all consented apps:
Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppRoleAssignmentRequired -eq $true} | Select-Object DisplayName, AppIdIdentify App Permission Requirements
When an application is registered in Microsoft Entra ID, it declares the permissions it needs. These are specified in the app registration manifest under `requiredResourceAccess`. Each permission is a scope (delegated) or role (application). The app developer chooses these during development. As an administrator, you can review these permissions in the Azure portal under App registrations > your app > API permissions. Understanding what permissions an app requests is the first step in deciding whether to allow consent.
Configure User Consent Policy
Navigate to Microsoft Entra admin center > Enterprise applications > Consent and permissions > User consent settings. Choose one of three options: allow all user consent, block all user consent, or allow user consent for selected permissions. If you choose the third option, you must create a policy that lists the allowed permissions. The policy can apply to all apps or specific apps. Use PowerShell or Microsoft Graph to create custom policies. For example, you can allow only `openid`, `profile`, `email`, and `User.Read`.
Request Admin Consent for High-Risk Apps
When a user tries to use an app that requires admin consent, they see an error: 'Admin consent required'. The user can then request admin consent by clicking a link that sends a request to the administrator. Alternatively, an administrator can proactively grant admin consent via the Azure portal. Navigate to Enterprise applications > select the app > Permissions > Grant admin consent. You must sign in as a Global Administrator or a Privileged Role Administrator. The consent is valid for all users.
Audit and Monitor Consent Activity
Regularly review consent grants using Microsoft Entra audit logs. Filter by activity 'Consent to application' or 'Add app role assignment to service principal'. Use Microsoft 365 Defender for alerts on suspicious consent. You can also use PowerShell to export all service principals and their assigned roles. For example: `Get-AzureADServicePrincipal -All $true | Select-Object DisplayName, AppId, AppRoleAssignmentRequired`. If an app has excessive permissions, you can revoke consent by deleting the service principal or removing role assignments.
Revoke or Modify Consent
To revoke admin consent, navigate to Enterprise applications > select the app > Permissions > Revoke admin consent. This removes all permissions for that app. Alternatively, you can delete the service principal entirely. For user consent, you can remove the user's consent by using PowerShell: `Remove-AzureADOAuth2PermissionGrant -ObjectId <grant-id>`. You can also block future consent by updating the app consent policy. Remember that revoking consent may break app functionality; communicate with app owners before revoking.
Scenario 1: Large Enterprise with Strict Compliance Requirements
A multinational corporation must comply with GDPR and internal data protection policies. They configure app consent policies to block all user consent for any permission that can read or write user data (e.g., User.Read, Mail.Read). Only basic permissions like openid and profile are allowed for user consent. All other permissions require admin consent. The IT security team uses Microsoft Graph to create a custom policy that includes only low-risk permissions from a predefined list. They also set up a workflow using Microsoft Power Automate to notify the security team when an admin consent request is submitted. In production, this reduces the attack surface for consent phishing. A common issue is that users complain they cannot use productivity apps that request User.Read; the solution is to have the app owner request admin consent, which is reviewed and granted if the app is approved.
Scenario 2: Small to Medium Business with Limited IT Staff
A growing company with 200 employees uses many third-party SaaS apps. Initially, they left user consent enabled for all permissions. After a security audit, they discovered that several apps had been granted Mail.ReadWrite permissions by users, allowing those apps to read and send email on behalf of users. The IT admin immediately changed the user consent setting to block all user consent and then reviewed all existing consented apps. They revoked consent for high-risk apps and only re-granted admin consent for vetted apps. They now use the 'verified publisher' feature to ensure that only apps from verified publishers can request user consent for low-risk permissions. This approach balances security with usability, but requires regular monitoring of consent requests.
Scenario 3: Healthcare Organization with Sensitive Data
A hospital uses Microsoft 365 and needs to control access to patient health information (PHI). They configure app consent policies to allow user consent only for permissions that do not access PHI (e.g., openid, profile). Any app requesting Mail.Read, Files.Read.All, or User.Read.All requires admin consent. They also use Conditional Access to require multi-factor authentication when accessing apps that have been granted admin consent. The security team regularly audits consent grants using Microsoft 365 Defender and revokes consent for any app that has not been used for 90 days. A challenge is that some clinical apps require Mail.Read to send appointment reminders; these apps are added to an allowlist via a custom policy, and admin consent is granted after a security review.
MS-102 Exam Focus on App Consent Policies and Admin Consent
This topic is tested under Objective 2.3: Implement and manage identity governance in Microsoft Entra ID. The exam expects you to:
Understand the difference between user consent and admin consent.
Know the default user consent settings and how to change them.
Be able to configure app consent policies using the portal, PowerShell, or Microsoft Graph.
Identify which permissions require admin consent.
Understand the consent flow and how to audit consent grants.
Common Wrong Answers and Why Candidates Choose Them
'Admin consent is required for all delegated permissions.' This is false. Only high-risk delegated permissions (e.g., Mail.ReadWrite, User.Read.All) require admin consent. Low-risk ones like User.Read can be consented by users if policy allows.
'User consent cannot be disabled.' It can be disabled by setting user consent to 'Do not allow user consent'.
'App consent policies apply to all apps automatically.' Policies can be scoped to specific apps or all apps. By default, a policy applies to all apps unless specified otherwise.
'You can grant admin consent for specific permissions only.' Admin consent is all-or-nothing: you must accept all requested permissions or none. You cannot selectively grant.
Specific Numbers and Terms That Appear on the Exam
Default user consent setting: 'Allow user consent for apps' (all permissions).
Maximum number of app consent policies: 100.
Permission classification: Low, medium, high. Only low-risk can be included in user consent policies.
Admin consent endpoint: https://login.microsoftonline.com/{tenant-id}/adminconsent.
Roles that can grant admin consent: Global Administrator, Privileged Role Administrator, and custom roles with the microsoft.directory/servicePrincipals/managePermissionGrantsForAll permission.
Edge Cases and Exceptions
Dynamic consent: If an app uses dynamic consent (requesting scopes at runtime), the policy is still evaluated. If the requested scope is not allowed, the user is blocked.
Verified publisher: Only apps from verified publishers can be included in policies that allow user consent for selected permissions.
Multi-tenant apps: Consent policies apply to apps in your tenant, including multi-tenant apps that users from your organization consent to.
How to Eliminate Wrong Answers
If a question asks what is required for an app to access mailboxes, remember: application permissions always require admin consent. Delegated permissions may or may not, depending on the specific scope.
If a question mentions 'consent for all users', it is admin consent.
If a question asks about blocking user consent, the answer is to configure user consent settings to 'Do not allow user consent'.
Use the underlying mechanism: user consent is per-user and per-app; admin consent is per-app for all users.
User consent is per-user; admin consent is per-organization.
Default user consent setting is 'Allow user consent for apps' – change it to reduce risk.
Admin consent is required for application permissions and high-risk delegated permissions.
You can create up to 100 custom app consent policies per tenant.
Only low-risk permissions can be included in user consent policies.
Granting admin consent via URL: https://login.microsoftonline.com/{tenant-id}/adminconsent.
Use audit logs and Microsoft 365 Defender to monitor consent grants.
These come up on the exam all the time. Here's how to tell them apart.
User Consent
Granted by individual users during app sign-in.
Applies only to the consenting user's data.
Can be allowed or blocked via app consent policies.
Suitable for low-risk permissions like openid, profile, User.Read.
Can be revoked by the user or by an administrator.
Admin Consent
Granted by an administrator on behalf of the entire organization.
Applies to all users in the tenant.
Required for application permissions and high-risk delegated permissions.
All-or-nothing: all requested permissions must be accepted.
Can only be revoked by an administrator.
Mistake
Admin consent is required for all permissions.
Correct
Admin consent is only required for application permissions and for delegated permissions that are classified as high-risk (e.g., Mail.ReadWrite, User.Read.All). Low-risk delegated permissions like User.Read can be consented by users if the policy allows.
Mistake
You can grant admin consent for a subset of permissions requested by an app.
Correct
Admin consent is all-or-nothing. You must accept all requested permissions or none. You cannot selectively grant only some permissions.
Mistake
App consent policies apply only to new consent requests, not existing grants.
Correct
Policies apply to new consent requests. Existing grants remain valid unless explicitly revoked. However, you can audit and revoke existing grants manually.
Mistake
User consent can be completely disabled by setting the policy to 'Do not allow user consent'.
Correct
That is correct; setting user consent to 'Do not allow user consent' blocks all user consent. However, this does not affect existing consents. You must also revoke existing grants separately.
Mistake
Only Global Administrators can grant admin consent.
Correct
Global Administrators can, but also Privileged Role Administrators and custom roles with the appropriate permission (microsoft.directory/servicePrincipals/managePermissionGrantsForAll) can grant admin consent.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
User consent is granted by an individual user to allow an app to access their data. It applies only to that user. Admin consent is granted by an administrator and allows the app to access data for all users in the organization. Admin consent is required for high-risk permissions (e.g., application permissions, Mail.ReadWrite). The key distinction is scope: user consent is per-user, admin consent is per-tenant.
Navigate to Microsoft Entra admin center > Enterprise applications > Consent and permissions > User consent settings. Select 'Do not allow user consent'. This will block all user consent prompts. Note that existing consents are not revoked; you must manually revoke them. Alternatively, you can create a custom policy that only allows specific low-risk permissions.
Application permissions always require admin consent. Delegated permissions that are classified as high-risk (e.g., Mail.ReadWrite, User.Read.All, Files.ReadWrite.All) also require admin consent. Low-risk delegated permissions like openid, profile, email, and User.Read can be consented by users if the policy allows.
You can grant admin consent via the Azure portal: Go to Enterprise applications, select the app, click Permissions, then 'Grant admin consent'. You need to sign in as a Global Administrator or Privileged Role Administrator. Alternatively, use the admin consent URL: https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={app-id}. You must accept all requested permissions.
Yes. In the Azure portal, go to Enterprise applications, select the app, click Permissions, then 'Revoke admin consent'. This removes all permissions for that app. Alternatively, you can delete the service principal. Revoking consent may break app functionality.
Use Microsoft Entra audit logs, filter by activity 'Consent to application' or 'Add app role assignment to service principal'. You can also use PowerShell: Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppRoleAssignmentRequired -eq $true} to list service principals with role assignments. Microsoft 365 Defender provides alerts for risky consent.
Consent phishing is when a malicious app tricks a user into granting permissions that allow the app to access sensitive data. App consent policies prevent this by restricting which permissions users can consent to. For example, you can block all user consent for high-risk permissions, forcing attackers to seek admin consent, which is more controlled.
You've just covered App Consent Policies and Admin Consent — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?