This chapter covers Cloud App Governance and App Consent in Microsoft 365 and Azure AD, which are critical for controlling how third-party applications access organizational data. For the SC-900 exam, this topic appears in approximately 10-15% of questions, often testing your understanding of consent types, permission models, and governance tools like Cloud App Security. You will learn the mechanisms of app registration, consent delegation, and how to monitor and revoke permissions to protect your organization from malicious or over-privileged applications.
Jump to a section
Imagine a large office building with many tenants. Each tenant has their own office, and the building has shared resources like a conference room, a printer, and a server room. The building manager (the tenant) decides who can access which resources. When a visitor (an app) arrives and wants to use the server room, they must first get a badge (consent) from the building manager. The manager can grant access directly (admin consent) or allow the visitor to ask the employees (users) for permission (user consent). If the manager gives a master key (admin consent), the visitor can access the server room and any other resource without asking again. If the manager only allows user consent, each employee can let the visitor into their own office but not the shared resources. The building has a log at the front desk (Azure AD audit logs) that records every badge issued and every door accessed. The manager can revoke a badge at any time. This system ensures that visitors only access what they are allowed, and the manager retains control over critical areas.
What is Cloud App Governance and App Consent?
Cloud App Governance refers to the processes and tools used to monitor, control, and manage the use of cloud applications within an organization. It ensures that apps comply with security policies and that data access is appropriate. App consent is the mechanism by which users or administrators grant permissions to applications to access resources (e.g., Microsoft Graph, SharePoint, email). The SC-900 exam focuses on consent types, permission models, and the tools used to govern apps in Azure AD and Microsoft 365.
Why App Consent Matters
Applications often request permissions to access sensitive data such as user profiles, emails, files, and calendars. Without proper consent controls, users can grant excessive permissions to malicious apps, leading to data breaches. Microsoft provides a consent framework that includes user consent, admin consent, and delegated vs. application permissions. Understanding this framework is essential for securing an organization's data.
Permission Types: Delegated vs. Application Permissions
Delegated permissions: The app acts on behalf of a signed-in user. The app can only access what the user can access. For example, an app with delegated Mail.Read permission can read the signed-in user's emails but not other users' emails. Delegated permissions are used in client apps (e.g., mobile apps, web apps) that have a user context.
Application permissions: The app acts as itself (no user context). It can access data without a signed-in user. For example, an app with application Mail.Read permission can read all mailboxes in the organization. Application permissions are used for daemon services, background jobs, and automated processes. They require admin consent.
Consent Types: User Consent vs. Admin Consent
User consent: A user grants permissions to an app. This is typically for delegated permissions that are low-risk. By default, users can consent to permissions that are classified as 'low impact' (e.g., profile, openid, User.Read). Admins can configure user consent settings to block all user consent or allow only specific permissions.
Admin consent: An administrator grants permissions on behalf of the entire organization. This is required for application permissions and for delegated permissions that are high-risk or require admin privileges (e.g., Mail.ReadWrite). Admin consent cannot be granted by regular users.
Consent Process Flow
User navigates to an app that requires permissions.
The app redirects the user to Azure AD's consent endpoint.
Azure AD displays the consent prompt listing requested permissions.
If user consent is allowed for those permissions, the user can accept.
If admin consent is required, the user sees a message asking them to contact an admin.
An admin can grant consent via the Azure portal, Microsoft 365 admin center, or programmatically.
Once consent is granted, Azure AD issues an access token with the consented permissions.
The app uses the token to access resources.
Microsoft Cloud App Security (MCAS) and Cloud App Governance
Microsoft Cloud App Security (now part of Microsoft 365 Defender) provides visibility into cloud app usage, data loss prevention, and threat detection. It uses the Cloud App Catalog, which contains over 16,000 cloud apps rated on risk factors such as security, compliance, and legal. Key features: - Cloud Discovery: Analyzes traffic logs to identify shadow IT (apps not sanctioned by IT). - App governance add-on: Extends MCAS with policies for app permissions, consent, and activity monitoring. - Conditional Access App Control: Enforces policies like session monitoring and block actions for apps.
App Governance in Microsoft 365
App governance is a Microsoft 365 security feature that focuses on managing app permissions and consent. It provides: - App permission policies: Automatically revoke or restrict apps based on behavior (e.g., high data access, unusual activity). - Consent policies: Define which permissions users can consent to and which require admin approval. - Alerts and notifications: Notify admins when apps request excessive permissions or exhibit suspicious behavior.
Configuring Consent and Permissions in Azure AD
In the Azure portal, navigate to Azure Active Directory > Enterprise applications > Consent and permissions. Here you can: - User consent settings: Choose whether to allow user consent for apps from verified publishers or all apps, or block user consent entirely. - Admin consent settings: Grant admin consent for specific apps or permissions. - Permission classification: Classify permissions as low, medium, or high impact. User consent can be allowed only for low-impact permissions.
Using PowerShell to Manage Consent
You can use the Azure AD PowerShell module (AzureAD) to manage consent. Example commands:
# Connect to Azure AD
Connect-AzureAD
# Get all OAuth2 permission grants
Get-AzureADOAuth2PermissionGrant
# Revoke a consent grant
Remove-AzureADOAuth2PermissionGrant -ObjectId "<grant-id>"Monitoring Consent Activity
Azure AD audit logs record all consent operations. You can view logs in the Azure portal under Azure Active Directory > Audit logs. Filter by activity "Consent to application" or "Add OAuth2PermissionGrant". Microsoft 365 Defender also provides alerts for risky consent.
Best Practices
Block user consent by default and require admin consent for all apps.
Use permission classification to allow user consent only for low-risk permissions.
Regularly review app permissions using the Azure AD app permissions report or MCAS.
Enable app governance policies to detect and respond to anomalous app behavior.
Educate users about the risks of granting consent to unknown apps.
Interaction with Conditional Access
Conditional Access policies can be applied to cloud apps, including those that require consent. For example, you can require multi-factor authentication (MFA) for accessing an app that has been granted consent. However, consent itself is not governed by Conditional Access; it is a separate process that occurs before token issuance.
Common Exam Values
The default user consent setting in new tenants is to allow user consent for apps from verified publishers for selected permissions. This is a common exam point.
Admin consent is required for any app that requests application permissions.
The Cloud App Catalog contains over 16,000 apps.
App governance is an add-on to Microsoft Cloud App Security.
App requests permissions
The user navigates to an application that needs access to Microsoft 365 resources. The app initiates an OAuth 2.0 authorization request to Azure AD, specifying the required permissions (scopes) in the request. For example, an app might request 'User.Read' and 'Mail.Read' as delegated permissions. The request is sent to the Azure AD authorization endpoint with parameters like client_id, redirect_uri, response_type, and scope. The app must be registered in Azure AD with those permissions configured.
Azure AD displays consent prompt
Azure AD checks the requested permissions against the tenant's consent settings. If user consent is allowed for those permissions, Azure AD renders a consent prompt to the user. The prompt lists the app name, publisher, and the permissions being requested. The user can see what data the app will access. If admin consent is required (e.g., for high-risk permissions or application permissions), the user sees a message stating that admin approval is needed. Azure AD also checks if the app is from a verified publisher and if the user is allowed to consent based on their role (e.g., only admins can consent to certain permissions).
User or admin grants consent
If user consent is allowed, the user clicks 'Accept' to grant consent. This creates an OAuth2PermissionGrant object in Azure AD, which stores the consent record. The grant includes the user ID, app ID, and the consented scopes. If admin consent is required, an administrator must grant consent via the Azure portal or through a dedicated admin consent endpoint. Admin consent can be granted for all users or for a specific user. The admin can also pre-approve an app by granting tenant-wide admin consent.
Azure AD issues access token
After consent is granted, Azure AD issues an access token to the app. The token contains claims that include the consented scopes and the user identity (for delegated permissions). The app uses this token to authenticate to Microsoft Graph or other APIs. The token has a default lifetime of 60-90 minutes (configurable). The app can refresh the token using a refresh token if offline access was consented. The token is signed by Azure AD and verified by the resource API.
App accesses resources
The app presents the access token to the resource API (e.g., Microsoft Graph). The API validates the token's signature, checks the scopes, and ensures the user (for delegated) or app (for application) has the necessary permissions. If valid, the API returns the requested data. The app can now perform actions like reading emails, accessing files, or modifying calendars. The API enforces least privilege based on the token's scopes.
In a large enterprise with thousands of users, managing app consent is critical. For example, a company uses Salesforce and needs to integrate with Microsoft Teams. The Salesforce app requests permissions to read user profiles and send messages on behalf of users. The IT admin decides to grant admin consent for this app to avoid users being prompted and to ensure compliance. They use Azure AD to grant tenant-wide admin consent, which requires Global Admin or Privileged Role Admin rights. The admin also configures a Conditional Access policy to require MFA for accessing Salesforce.
Another scenario: A marketing department starts using a new project management app without IT approval. This is shadow IT. Using Microsoft Cloud App Security (MCAS), the security team runs Cloud Discovery to identify the app. The app has a risk score of 8 (medium risk). The team decides to sanction the app but restrict its permissions. They use app governance to create a policy that alerts if the app accesses more than 1000 emails per hour. They also block user consent for high-risk permissions, forcing users to request admin approval for any app that needs access to sensitive data.
A common misconfiguration is allowing user consent for all apps. This leads to users granting permissions to malicious apps that exfiltrate data. For instance, a phishing campaign tricks users into consenting to an app that requests 'Mail.ReadWrite' and 'Mail.Send' permissions. The app then reads and sends emails from the user's mailbox, spreading malware or stealing sensitive information. To prevent this, the IT admin should block user consent entirely and require admin approval for all apps. They can also use permission classification to allow user consent only for low-impact permissions like 'profile' and 'email'. Regularly reviewing app permissions using the Azure AD 'Review permissions' feature helps identify and revoke excessive grants. Performance considerations: Azure AD can handle millions of consent grants, but audit logs can grow quickly. Use retention policies to manage log storage. When misconfigured, users may experience consent prompts that block productivity, or worse, data breaches occur. In production, deploy app governance policies to automatically revoke consent for apps that show anomalous behavior, such as sudden high-volume data access or access from unusual locations.
The SC-900 exam tests your understanding of app consent and cloud app governance under objective 'Describe the capabilities of Microsoft Security Solutions' (specifically 3.2). Key areas: - Distinguish between delegated and application permissions. The exam often presents a scenario where an app runs without a signed-in user (e.g., a daemon) and asks which permission type is needed. The answer is application permissions, and it requires admin consent. - Know when admin consent is required. Admin consent is mandatory for application permissions and for delegated permissions that are classified as high-impact or require admin privileges. A common wrong answer is that admin consent is always required, but user consent is allowed for low-risk delegated permissions. - Understand default user consent settings. In new tenants, users can consent to permissions from verified publishers for selected permissions (low impact). The exam may ask: 'What is the default user consent setting?' Answer: Allow user consent for apps from verified publishers for selected permissions. - Cloud App Security features: The exam may test that Cloud App Security provides Cloud Discovery (identifies shadow IT), app governance (policies for app permissions), and Conditional Access App Control. A common trap is thinking that Cloud App Security replaces Azure AD consent settings; it does not—it augments them. - App governance add-on: This is part of MCAS and provides advanced policies for app permissions. The exam may ask: 'Which feature automatically revokes app permissions based on suspicious activity?' Answer: App governance policies. - Numbers: Remember that the Cloud App Catalog contains over 16,000 apps. This is a specific number that appears on the exam. - Edge case: If a user consents to an app and later leaves the organization, the consent grant remains. Admins should regularly review and remove stale grants. The exam may ask about the impact of a user leaving: the app still has access until the grant is revoked. - Eliminating wrong answers: If a question asks about controlling which apps users can consent to, the answer is 'User consent settings' in Azure AD, not 'Conditional Access' or 'MFA'. Conditional Access controls access after consent, not the consent itself. Similarly, 'App registration' is about creating apps, not granting consent.
Delegated permissions require a signed-in user; application permissions do not.
Admin consent is mandatory for application permissions and high-risk delegated permissions.
Default user consent setting in new tenants: allow user consent for apps from verified publishers for selected permissions.
Cloud App Security includes Cloud Discovery, app governance, and Conditional Access App Control.
App governance is an add-on to Microsoft Cloud App Security, not a standalone product.
Over 16,000 apps are rated in the Cloud App Catalog.
Consent can be revoked by admins via Azure AD or by users via My Apps portal.
Azure AD audit logs capture all consent activities for monitoring.
Permission classification allows admins to control which permissions users can consent to.
App governance policies can automatically revoke permissions for suspicious app behavior.
These come up on the exam all the time. Here's how to tell them apart.
Delegated Permissions
App acts on behalf of a signed-in user.
Used in client apps with a user context (e.g., mobile apps, web apps).
Can be consented by users if allowed by policy.
Access limited to what the user can access.
Example: 'Mail.Read' allows reading the signed-in user's mailbox.
Application Permissions
App acts as itself without a user context.
Used for daemon services, background jobs, and automated tasks.
Always requires admin consent.
Can access data across the entire organization.
Example: 'Mail.Read' allows reading all mailboxes in the tenant.
Mistake
User consent and admin consent are the same thing.
Correct
User consent is granted by an individual user and applies only to that user's data. Admin consent is granted by an administrator and applies to all users in the organization. Admin consent is required for application permissions and high-risk delegated permissions.
Mistake
Once consent is granted, it cannot be revoked.
Correct
Consent can be revoked by an administrator at any time. In Azure AD, admins can remove OAuth2PermissionGrant objects or disable the app. Users can also revoke consent from the 'My Apps' portal.
Mistake
Cloud App Security replaces Azure AD consent settings.
Correct
Cloud App Security (MCAS) complements Azure AD by providing visibility and governance policies, but it does not replace Azure AD's consent configuration. Consent settings are still managed in Azure AD.
Mistake
All apps need admin consent.
Correct
Only apps that request application permissions or high-risk delegated permissions need admin consent. Many apps with low-risk delegated permissions can be consented to by users if the tenant allows it.
Mistake
App governance is a standalone Microsoft 365 product.
Correct
App governance is an add-on to Microsoft Cloud App Security, not a separate product. It provides advanced policies for app permissions and consent.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
User consent is granted by an individual user to allow an app to access their own data, such as their profile or emails. Admin consent is granted by a global administrator or privileged role administrator on behalf of the entire organization. Admin consent is required for apps that request application permissions (which can access data across the organization) or high-risk delegated permissions. Without admin consent, users cannot grant those permissions themselves.
No, application permissions always require admin consent. Users cannot consent to application permissions because they would grant the app access to data beyond the user's control, such as all mailboxes. Only an administrator can grant application permissions.
You can revoke consent by going to Azure Active Directory > Enterprise applications > select the app > Permissions > Revoke admin consent. Alternatively, you can use PowerShell: Remove-AzureADOAuth2PermissionGrant -ObjectId <grant-id>. Users can revoke their own consent from the My Apps portal (https://myapps.microsoft.com) by going to the app and selecting 'Remove'.
The Cloud App Catalog is a database of over 16,000 cloud applications, each rated with a risk score based on security, compliance, and legal factors. It helps organizations identify and assess the risk of apps used in their environment. The catalog is used by Cloud Discovery to classify apps as sanctioned, unsanctioned, or monitored.
The default user consent setting in new tenants is 'Allow user consent for apps from verified publishers for selected permissions'. This means users can consent to apps that are published by a verified publisher and that request only low-impact permissions. This setting can be changed by an administrator.
App governance is an add-on to Microsoft Cloud App Security that provides automated policies to monitor and control app permissions and consent. It can detect anomalous app behavior (e.g., sudden high data access), generate alerts, and automatically revoke permissions or disable apps. It also provides insights into app permission usage across the organization.
Microsoft Graph is the API that apps use to access Microsoft 365 data. When an app requests permissions, it specifies the required Microsoft Graph scopes (e.g., User.Read, Mail.Read). Consent grants the app access to those scopes. The access token issued after consent contains the scopes, and the app uses that token to call Microsoft Graph endpoints.
You've just covered Cloud App Governance and App Consent — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?