In February this year, I wrote an article about Admin consent in Azure Active Directory. The article titled: “Did you already modify your Azure AD consent defaults settings? Here is why you should“, explained why giving end-users within your Azure AD the ability to give consent for every Application might not be such a good idea.

While disabling this option for the end-users is recommended by Microsoft, and having a workflow in place to review any requests and approve if found valid is a more secure solution it introduced an administrative burden since each request must be reviewed by one of the defined users in the list of users to review admin consent requests.

In order to address this, Microsoft made some changes to the way the Admin consent workflow is working which allows an Azure AD administrator more control over which requests must be approved and which are allowed automatically.

Note: This post reflects the status of Admin consent as of May 22, 2020. Functionality may change, even right after this post has been published.

Enterprise Applications User Settings

Within the user settings page of the Enterprise Applications the following changes have been made.

There is now an extra configurable option called: “Users can consent to apps accessing company data for the groups they own”. This options allows you to define the following settings:

  • If this option is set to yes, then all users who are owners of a group may consent to allow third-party multi-tenant applications to access the data of the groups they own.
  • If this option is set to no, then no user can consent to those application to access the data of the groups they own.
  • If this option is set to limited, then only the members of the group selected can consent to those applications to access the data of the groups they own. When enabled, you can add selected groups in the User settings blade.
Machine generated alternative text:
Enterprise applications I User settings 
Enterprise app 
—t to apss æirg 
data t her O 
O Ettng: 
Sig 
Audit 
log: 
Admin 
Supp«t 
—t to 
data grups thO' 
apps to 
Admin consent requests (Preview) 
admin —t to apgs 
are to —t to O 
(days) CO 
Office SES Settings 
3ES apps in 
Of-eæ pMal
Enterprise Applications, user settings

Consent and permissions

Under Enterprise Applications another blade has been added, titled: “Consent and permissions”

In this page the following options are available.

Machine generated alternative text:
Dashboard > Consent and permissions I user consent settings (Preview) 
o Consent and permissions I User consent settings (Preview) 
x 
Manage 
@ user consent settings (Preview) 
Permission classifications (Previ.. 
Save X Discard 
When a user grants consent to en application, the user cen sign in end the application may be granted access to the organization's data. 
user consent for applications 
Configure whether users are allowed to consent far applications to access ßur organization's data. 
@ Do not allow user consent 
An administrator will be required for all apps. 
C) Allow user consent for apps from verified publishers, far selected permissions (Recommended) 
All users can consent for permissions classified as "low impact", far apps from verified publishers or apps registered in this 
organization. 
C) Allow user consent for apps 
All users can consent for any app to access the organization's data. 
Group owner consent for apps accessing data 
Configure whether group owners are allowed to consent far applications to access your organization's data in the groups they own 
@ Do not allow group owner consent 
Group owners cannot allow applications to access data in the groups they own. 
C) Allow group owner consent for selected group owners 
Only selected group owners can allow applications to access data in the groups they awn. 
C) Allow group owner consent for all group owners 
All group owners can allow applications to access data in the groups they own.
User consent settings

You can define user consent for applications to either:

  • Do not allow users to consent for apps, this is the default setting and will require an admin to do the consent on behalf of the user
  • Allow user consent for apps from verified publishers, for selected permissions. This is the new recommended option, which I will address later on
  • Allow user consent for all applications, which means that users can give consent to any app who want to access organizational data.

Here you can also define the options group owners have:

  • Do not allow group owner consent, which is the default settings. Where group owners cannot allow applications to access data in the groups they own
  • Allow group owner consent for selected group owners, if selected an extra option appears allowing you to specify the groups in scope
  • Allow group owner consent for all group owners, which allows all group owners to allow applications to access data in the groups they own.

Verified publishers

In the blogpost on the Techcommunity site last Wednesday (May 20, 2020) titled: “Enhanced programs to help Microsoft 365 admins verify third-party apps” Microsoft made some announcements related to the option “Allow user consent for apps from verified publishers, for selected permissions” which I described above.

From the article: “At Build Microsoft introduced a Publisher Verification program that allows developers to add a verified organizational identity to their apps. This helps admins and end users understand the authenticity of applications requesting access to your organizational data.”

Basically this means that developers can have their Microsoft Partner Network (ID) verified and associated with their application, and therefore the publisher can be considered trusted. If verified the publisher receives a blue verified badge on the Azure AD consent prompt and other screens. More information can be found here: “Publisher verification (preview)” and “Mark your app as publisher verified (preview)

Machine generated alternative text:
Publisher verification (preview) 
Associate a verified Microsoft Partner Center (MAN) account with your application. A verified badge will appear in 
various places, including the application consent screen. Learn morecå 
MPN ID 
Publisher display name 
Add MPN ID to verify publisher 
Not provided
Publisher verification (Empty)
Machine generated alternative text:
Contoso Organizer I Branding 
Integratkn 
CetiSat6 & wets 
Expos. an 
of @ 
statement URL @ 
C Orgarå:e 
Select a 
htt%'/CCnt 
Suwt • 
Neo request 
pub"sher @ 
Publisher verification (preview) 
a Mifv« A apper 
screen. e 
NPN 10 
to app to AD
Publisher verification (Verified)

Permission classifications

When you enable the option “Allow user consent for apps from verified publishers, for selected permissions (Recommended)” you get an extra option to select the permissions to classify as low impact. Which will bring you to the Permission classifications page

Machine generated alternative text:
Dashboard > Consent and permissions I Permission classifications (Preview) 
Consent and permissions I Permission classifications (Preview) 
x 
Manage 
@ user consent settings (Preview) 
Permission classifications (Previ... 
Add permissions 
Classify user consent permissions 
Define delegated permissions to which the users can consent to on behalf of your organization. 
API used 
Permissions 
Description 
Get started by adding the most used permissions. 
The following permissions are the most requested application permissions with law 
risk access. Get started managing consent end permissions for all users by adding 
these delegated permissions with only one click. Learn more 
user.Read - sign in and read user profile 
offline_access - maintain access to data that users have given it access to 
openid - sign users in 
profile - view users basic profile 
Yes, add selected permissions 
No, I'll add permissions
Permission classification (default)

On the permission classifications page you can define which permissions you find acceptable for your organization data. Microsoft provides the most requested application permissions with low-risk access which you can select and add to the list. These permissions are:

  • User.Read – sign in and read user profile
  • offline_access – maintain access to data that users have given it access to
  • openid – sign users in
  • profile – view user’s basic profile
Machine generated alternative text:
Dashboard > Consent and permissions I Permission classifications (Preview) 
Consent and permissions I Permission classifications (Preview) 
x 
Manage 
@ user consent settings (Preview) 
Permission classifications (Previ... 
Add permissions 
Classify user consent permissions 
Define delegated permissions to which the users can consent to on behalf of your organization. 
API used 
Microsoft Graph 
Microsoft Graph 
Microsoft Graph 
Microsoft Graph 
Permissions 
offline access 
openid 
profile 
user.Read 
Description 
Maintain access to date you have given it access to 
Sign users in 
View users' basic profile 
Sign in and read user profile
Permission classification, recommended rights.

Once added, you can also define extra permissions for which you find them to have a low risk and to which users can consent without an Admin review. For example, if you want applications to also view a users’ email address you can simply add that to the list

Machine generated alternative text:
Dashboard > Consent and permissions I Permission classifications (Previa 
Consent and permissions I Permission classifica 
Request API permissions 
< All APIs 
Microsoft Graph 
https://graph.microsoft.com/ Docs 
What type of permissions does your application require? 
Delegated permissions 
Your application needs to access the API as the signed-in user. 
Select permissions 
Type to search 
Permission 
email 
View users' email address C) 
offline access 
Maintain access to date you have given it access to O 
Openid 
Sign users in O 
profile 
View users' basic profile O 
> AccessReview 
> Administrativeunit 
> AgreementAcceptence 
x 
Manage 
@ user consent settings (Preview) 
Permission classifications (Previ... 
Add permissions 
Classify user consent perr 
Define delegated permissior 
API used 
Microsoft Graph 
Microsoft Graph 
Microsoft Graph 
Microsoft Graph 
Microsoft Intune API 
Application permissions 
Your application uns as background service or demon without 
signed-in user. 
expand all 
Admin consent required 
> Agreement 
Add permissions 
Discard
Add View users’ email address rights.
Machine generated alternative text:
Dashboard > Consent and permissions I Permission classifications (Preview) 
Consent and permissions I Permission classifications (Preview) 
x 
Manage 
@ user consent settings (Preview) 
Permission classifications (Previ... 
Add permissions 
Classify user consent permissions 
Define delegated permissions to which the users can consent to on behalf of your organization. 
API used 
Microsoft Graph 
Microsoft Graph 
Microsoft Graph 
Microsoft Graph 
Microsoft Graph 
Permissions 
offline access 
openid 
profile 
user.Read 
email 
Description 
Maintain access to date you have given it access to 
Sign users in 
View users' basic profile 
Sign in and read user profile 
View users' email address
Right being added, and considered low-risk.

Conclusion

With these new options, (which are still in preview) Microsoft addresses the administrative burden which was introduced when administrators disabled the option for users to consent to any application accessing company data.

Whether the new options described in this article will work for your company, mainly depends on whether the application publishers will have their MPN id verified and will be working with low risk access rights within their application.

If this is going to work, this will allow for verified publishers who publish applications requiring low risk access to organization data to have the consent request to be automatically approved. This will  increase the chance of adoption.

For applications which require higher risk access rights, or even access rights beyond the user (for the whole tenant), doing a review on the application will still be necessary.