Update October 7 2020: This functionality is now GA, see Publisher verification and app consent policies are now generally available
In February this year, I wrote an article about Admin consent in Azure Active Directory. The article titled: “Did you already modify your Azure AD consent defaults settings? Here is why you should“, explained why giving end-users within your Azure AD the ability to give consent for every Application might not be such a good idea.
While disabling this option for the end-users is recommended by Microsoft, and having a workflow in place to review any requests and approve if found valid is a more secure solution it introduced an administrative burden since each request must be reviewed by one of the defined users in the list of users to review admin consent requests.
In order to address this, Microsoft made some changes to the way the Admin consent workflow is working which allows an Azure AD administrator more control over which requests must be approved and which are allowed automatically.
Note: This post reflects the status of Admin consent as of May 22, 2020. Functionality may change, even right after this post has been published.
Enterprise Applications User Settings
Within the user settings page of the Enterprise Applications the following changes have been made.
There is now an extra configurable option called: “Users can consent to apps accessing company data for the groups they own”. This options allows you to define the following settings:
- If this option is set to yes, then all users who are owners of a group may consent to allow third-party multi-tenant applications to access the data of the groups they own.
- If this option is set to no, then no user can consent to those application to access the data of the groups they own.
- If this option is set to limited, then only the members of the group selected can consent to those applications to access the data of the groups they own. When enabled, you can add selected groups in the User settings blade.
![Machine generated alternative text:
Enterprise applications I User settings
Enterprise app
—t to apss æirg
data t her O
O Ettng:
Sig
Audit
log:
Admin
Supp«t
—t to
data grups thO'
apps to
Admin consent requests (Preview)
admin —t to apgs
are to —t to O
(days) CO
Office SES Settings
3ES apps in
Of-eæ pMal](https://www.vansurksum.com/wp-content/uploads/2020/05/Consent2-1-1024x460.png)
Consent and permissions
Under Enterprise Applications another blade has been added, titled: “Consent and permissions”
In this page the following options are available.
![Machine generated alternative text:
Dashboard > Consent and permissions I user consent settings (Preview)
o Consent and permissions I User consent settings (Preview)
x
Manage
@ user consent settings (Preview)
Permission classifications (Previ..
Save X Discard
When a user grants consent to en application, the user cen sign in end the application may be granted access to the organization's data.
user consent for applications
Configure whether users are allowed to consent far applications to access ßur organization's data.
@ Do not allow user consent
An administrator will be required for all apps.
C) Allow user consent for apps from verified publishers, far selected permissions (Recommended)
All users can consent for permissions classified as "low impact", far apps from verified publishers or apps registered in this
organization.
C) Allow user consent for apps
All users can consent for any app to access the organization's data.
Group owner consent for apps accessing data
Configure whether group owners are allowed to consent far applications to access your organization's data in the groups they own
@ Do not allow group owner consent
Group owners cannot allow applications to access data in the groups they own.
C) Allow group owner consent for selected group owners
Only selected group owners can allow applications to access data in the groups they awn.
C) Allow group owner consent for all group owners
All group owners can allow applications to access data in the groups they own.](https://www.vansurksum.com/wp-content/uploads/2020/05/Consent2-2-1024x583.png)
You can define user consent for applications to either:
- Do not allow users to consent for apps, this is the default setting and will require an admin to do the consent on behalf of the user
- Allow user consent for apps from verified publishers, for selected permissions. This is the new recommended option, which I will address later on
- Allow user consent for all applications, which means that users can give consent to any app who want to access organizational data.
Here you can also define the options group owners have:
- Do not allow group owner consent, which is the default settings. Where group owners cannot allow applications to access data in the groups they own
- Allow group owner consent for selected group owners, if selected an extra option appears allowing you to specify the groups in scope
- Allow group owner consent for all group owners, which allows all group owners to allow applications to access data in the groups they own.
Verified publishers
In the blogpost on the Techcommunity site last Wednesday (May 20, 2020) titled: “Enhanced programs to help Microsoft 365 admins verify third-party apps” Microsoft made some announcements related to the option “Allow user consent for apps from verified publishers, for selected permissions” which I described above.
From the article: “At Build Microsoft introduced a Publisher Verification program that allows developers to add a verified organizational identity to their apps. This helps admins and end users understand the authenticity of applications requesting access to your organizational data.”
Basically this means that developers can have their Microsoft Partner Network (ID) verified and associated with their application, and therefore the publisher can be considered trusted. If verified the publisher receives a blue verified badge on the Azure AD consent prompt and other screens. More information can be found here: “Publisher verification (preview)” and “Mark your app as publisher verified (preview)“
![Machine generated alternative text:
Publisher verification (preview)
Associate a verified Microsoft Partner Center (MAN) account with your application. A verified badge will appear in
various places, including the application consent screen. Learn morecå
MPN ID
Publisher display name
Add MPN ID to verify publisher
Not provided](https://www.vansurksum.com/wp-content/uploads/2020/05/Consent2-3.png)
![Machine generated alternative text:
Contoso Organizer I Branding
Integratkn
CetiSat6 & wets
Expos. an
of @
statement URL @
C Orgarå:e
Select a
htt%'/CCnt
Suwt •
Neo request
pub"sher @
Publisher verification (preview)
a Mifv« A apper
screen. e
NPN 10
to app to AD](https://www.vansurksum.com/wp-content/uploads/2020/05/Consent2-4.png)
Permission classifications
When you enable the option “Allow user consent for apps from verified publishers, for selected permissions (Recommended)” you get an extra option to select the permissions to classify as low impact. Which will bring you to the Permission classifications page
![Machine generated alternative text:
Dashboard > Consent and permissions I Permission classifications (Preview)
Consent and permissions I Permission classifications (Preview)
x
Manage
@ user consent settings (Preview)
Permission classifications (Previ...
Add permissions
Classify user consent permissions
Define delegated permissions to which the users can consent to on behalf of your organization.
API used
Permissions
Description
Get started by adding the most used permissions.
The following permissions are the most requested application permissions with law
risk access. Get started managing consent end permissions for all users by adding
these delegated permissions with only one click. Learn more
user.Read - sign in and read user profile
offline_access - maintain access to data that users have given it access to
openid - sign users in
profile - view users basic profile
Yes, add selected permissions
No, I'll add permissions](https://www.vansurksum.com/wp-content/uploads/2020/05/Consent2-5-1024x584.png)
On the permission classifications page you can define which permissions you find acceptable for your organization data. Microsoft provides the most requested application permissions with low-risk access which you can select and add to the list. These permissions are:
- User.Read – sign in and read user profile
- offline_access – maintain access to data that users have given it access to
- openid – sign users in
- profile – view user’s basic profile
![Machine generated alternative text:
Dashboard > Consent and permissions I Permission classifications (Preview)
Consent and permissions I Permission classifications (Preview)
x
Manage
@ user consent settings (Preview)
Permission classifications (Previ...
Add permissions
Classify user consent permissions
Define delegated permissions to which the users can consent to on behalf of your organization.
API used
Microsoft Graph
Microsoft Graph
Microsoft Graph
Microsoft Graph
Permissions
offline access
openid
profile
user.Read
Description
Maintain access to date you have given it access to
Sign users in
View users' basic profile
Sign in and read user profile](https://www.vansurksum.com/wp-content/uploads/2020/05/Consent2-6-1024x300.png)
Once added, you can also define extra permissions for which you find them to have a low risk and to which users can consent without an Admin review. For example, if you want applications to also view a users’ email address you can simply add that to the list
![Machine generated alternative text:
Dashboard > Consent and permissions I Permission classifications (Previa
Consent and permissions I Permission classifica
Request API permissions
< All APIs
Microsoft Graph
https://graph.microsoft.com/ Docs
What type of permissions does your application require?
Delegated permissions
Your application needs to access the API as the signed-in user.
Select permissions
Type to search
Permission
email
View users' email address C)
offline access
Maintain access to date you have given it access to O
Openid
Sign users in O
profile
View users' basic profile O
> AccessReview
> Administrativeunit
> AgreementAcceptence
x
Manage
@ user consent settings (Preview)
Permission classifications (Previ...
Add permissions
Classify user consent perr
Define delegated permissior
API used
Microsoft Graph
Microsoft Graph
Microsoft Graph
Microsoft Graph
Microsoft Intune API
Application permissions
Your application uns as background service or demon without
signed-in user.
expand all
Admin consent required
> Agreement
Add permissions
Discard](https://www.vansurksum.com/wp-content/uploads/2020/05/Consent2-7-1-1024x584.png)
![Machine generated alternative text:
Dashboard > Consent and permissions I Permission classifications (Preview)
Consent and permissions I Permission classifications (Preview)
x
Manage
@ user consent settings (Preview)
Permission classifications (Previ...
Add permissions
Classify user consent permissions
Define delegated permissions to which the users can consent to on behalf of your organization.
API used
Microsoft Graph
Microsoft Graph
Microsoft Graph
Microsoft Graph
Microsoft Graph
Permissions
offline access
openid
profile
user.Read
email
Description
Maintain access to date you have given it access to
Sign users in
View users' basic profile
Sign in and read user profile
View users' email address](https://www.vansurksum.com/wp-content/uploads/2020/05/Consent2-7-2-1024x583.png)
Conclusion
With these new options, (which are still in preview) Microsoft addresses the administrative burden which was introduced when administrators disabled the option for users to consent to any application accessing company data.
Whether the new options described in this article will work for your company, mainly depends on whether the application publishers will have their MPN id verified and will be working with low risk access rights within their application.
If this is going to work, this will allow for verified publishers who publish applications requiring low risk access to organization data to have the consent request to be automatically approved. This will increase the chance of adoption.
For applications which require higher risk access rights, or even access rights beyond the user (for the whole tenant), doing a review on the application will still be necessary.
If the user consent is disabled in the “User settings” tab, but it is enabled under this new tab, which one will take effect? Is the difference in the “verified publisher / registered in same AD” part? That would make sense for the “recommended” setting, that all non-Microsoft apps are blocked in User settings tab, but here some rights are included by verified publishers.
And if this is correct, then the second question is when selecting the 3rd option in this new tab, will it have any effect when it is explicitly denied in the “User settings” tab? Because these two seem to me like the perfect counterparts, and it is very confusing.
Hi Balint,
Thank you for visiting my blog and leaving a comment.
To answer your questions:
1. If you disable user consent in the “User Settings” tab, the setting will be set to “Do not allow user consent” in the User consent settings (Preview) window. I think this will evolve over time to one place where this setting can be made, for now the settings are in sync. Interesting example is that if you set the radiobutton to “Allow user consent for apps from verified publishers, for selected persmissions (Recommended)” in the User consent settings (Preview) windows, I cannot change the setting in the “User settings” tab anymore.. resulting in a “Unable to update user settings. Error detail: Unable to complete due to service connection error. Please try again later.” error. (which makes a little sense)
2. Since I didn’t find any apps in my tenant yet from a publisher classified as “verified publisher” I’m not really sure. The only thing I could find is the screenshot I used in my article to show how it will look, once application developers get their MPN ID verified. I assume that Microsoft’s own applications will be one of the first to get the verified label
3. About your last question: “then the second question is when selecting the 3rd option in this new tab, will it have any effect when it is explicitly denied in the “User settings” tab? Because these two seem to me like the perfect counterparts, and it is very confusing.” – Did I already answer that in answer 1?
Please let me know If I understood and answered your questions – if not I’m more than willing to further explain.
Regards,
Kenneth
Thanks Kenneth, you did answer all my questions perfectly!
Wanted some clarity on this before I start “experimenting”, sec team is very jumpy lately here.
In one of my accounts the User settings section is grayed out for me, but in the same time, I can access the Consent and permissions tab, let’s see if saving these settings after changing them is possible at all : )