Applications integrated with the Microsoft identity platform require permissions before they can access organizational data. Consent is the mechanism that grants those permissions.
Understanding user and admin consent
Some permissions allow access to a user’s own data.
Other permissions allow access to organizational data.
Users can consent to apps for permissions that do not require admin consent.
Users cannot consent to permissions that grant broad organizational access.
This default balance supports productivity but introduces risk if not carefully controlled.
Security recommendation for consent
To reduce the risk of malicious apps, Microsoft recommends allowing user consent only for apps published by verified publishers.
This significantly reduces the likelihood of phishing-style consent attacks.
User consent settings options
Microsoft Entra ID supports several user consent configurations.
Disable user consent Users cannot grant permissions to new apps or permissions. Existing consents continue to function. Only users with directory roles that allow consent can approve new apps.
Users can consent to apps from verified publishers or your organization, but only for selected permissions Users can consent only to low-impact permissions that you explicitly classify. Apps must be from verified publishers or your tenant.
Users can consent to all apps Users can consent to any permission that does not require admin consent. This option provides the least control and highest risk.
Custom app consent policies Custom policies allow fine-grained conditions governing when consent is allowed.
Risk-based step-up consent
Risk-based step-up consent protects users from malicious consent attempts.
Enabled by default.
Applies only when user consent is enabled.
Risky consent requests are escalated to admin approval.
If admin approval workflow is enabled, the user can submit the request directly. If not, the user receives an error message indicating admin approval is required.
Category: ApplicationManagement.
Activity Type: Consent to application.
Status Reason: Risky application detected.
Administrators must carefully review these requests before approval.