Logo
Azure Enterprise App Consent Walkthrough and Recommendations
Azure AD

Azure Enterprise App Consent Walkthrough and Recommendations

2 September 2022 By Hal Sclater

How to secure and manage Azure app consent to make things easier for both users and admins. When first connecting an app to a Microsoft 365/Azure tenant, the requester is prompted to review the permissions and approve the app. If left open, this can be used maliciously (especially since no one reads the permissions). By default the Azure AD app consent configuration is not secure, so it’s recommended to make some changes as documented here.

This article walks you through the recommended settings, as well as how to configure admin consent to suit your environment.

I have seen it recommended that you should disable user consent and then enable admin consent requests as a one-size-fits-all approach. This is only suitable for small to mid-size organisations with a permanent IT presence who can respond to the requests. If configured like this in a large organisation, you will likely be bombarded with requests for access to apps.

The default setting is strangely not the one that Microsoft recommend, and allows any user to consent to any app permissions. As per Microsoft:

To reduce the risk of malicious applications attempting to trick users into granting them access to your organization’s data, we recommend that you allow user consent only for applications that have been published by a verified publisher.

This is the default setting and is not secure.

Firstly, disable this setting to the more reasonable middle setting:

  1. Open portal.azure.com > Azure Active Directory
  2. Enterprise applications > Consent and permissions > User consent settings
  3. Select Allow user consent for apps from verified publishers, then save
  4. Click Select permissions to classify as low impact
  5. If you are OK with the suggestions, you can enable apps which need low risk permissions

User Consent Settings

Permissions Classification

These are Microsoft Graph permissions if you need to add them manually or don’t see the above screen:

Admin Consent Settings

Now that you have limited the risk of users approving potentially intrusive apps, you can also control whether they can request approval from an admin for apps which need more than the permissions above.

There are two approaches:

  • Enable admin consent requests — Users trying to use a new app can request that an admin reviews and consents on their behalf
  • Disable admin consent requests — Users will simply be denied access

Admin consent requests are disabled by default. In a mid-size organisation it may be a good idea to enable this. It will give you an idea of what apps your users are trying to access.

  1. As a Global Admin, open Azure AD > Enterprise applications
  2. Select User settings > Admin consent requests
  3. Set Users can request admin consent to apps they are unable to consent to to Yes
  4. Select users or groups who will review the access requests

Admin settings

This is what users will see when trying to access an app that hasn’t been approved:

User Approval Prompt

Admins will then get an email and can approve apps in Enterprise applications > Admin consent requests.

In a larger organisation, admin consents can become unmanageable, with users requesting all sorts of apps, most of which are not relevant. I would therefore recommend not enabling this, but instead consenting to specific applications on behalf of your users.

With consent disabled, users are unable to use the app or request approval:

Consent Disabled

Note: Assign developers the Application Developer role so they can still register their own applications.

Consenting to Applications on Behalf of Users

If you don’t want users to have to request admin consent, or have turned off admin consent requests and want to manually approve an app, you can add an app and approve it as an admin.

A common example is Apple Internet Accounts (previously called iOS accounts). This is the iOS native Mail app. Note: I would not recommend this — get your users to use Outlook which is more secure and has better support for Exchange Online! But some VIP users insist.

First, you need to get the app to show in Azure AD Enterprise apps. It may be in one of three places:

  • Already in Enterprise apps, if someone has approved it
  • In Enterprise apps > Admin consent reviews, if someone has requested but not been reviewed
  • Neither — in which case you need to add it by trying to sign in to the app

Add the Enterprise App

Add the app to Azure AD Enterprise applications either by approving an existing request, or if you don’t want to do that, deny any requests and then try signing into the app with a Global admin account. This will work even if admin consent requests are denied:

Add Enterprise App

You can add the app for everyone by choosing Consent on behalf of your organization, or just yourself.

Consenting to the App

If you didn’t tick the consent box above, you can approve the app for everyone later:

  1. Open the app
  2. Click on Permissions
  3. Click Grant admin consent… which will show the consent screen

Grant Admin Consent

Limiting Access to an App

Another common requirement is to allow the app, but only for a defined subset of users:

  1. Add and approve the app for everyone
  2. Open Enterprise applications > All applications
  3. Open the app and select Properties
  4. Set Assignment required? to Yes
  5. On Users and groups, add users and groups as required

Deleting Apps

If you don’t want an app there and delete it, you can always add it back by trying to connect the same app again. Also, if you delete an app that is in use, access will immediately be revoked for anyone using the app.