General Introduction

In Microsoft 365, users have the ability to consent to applications that interact with their data. However, attackers have taken advantage of this by tricking users into granting access to their data. To prevent this, in Entra ID administrators can configure which apps users can consent to and which require administrator review.

There are three options for managing user consent:

• Do not allow user consent.
• Allow user consent for apps from verified publishers for selected permissions.
• Allow user consent for all apps.

I suggest against the latter (the default value for new tenants) as it leaves the organization vulnerable to phishing attempts.

The second one, allowing user consent for apps from verified publishers for selected permissions, is viable, but the permissions classification is crucial. It determines which permissions are considered low impact and can be consented to by users. You should be very conservative about which permissions are granted freely. 

If users are blocked from approving apps, how will users request approval for such apps? Microsoft provides admin consent requests. It allows users to request approval for an application through a workflow rather than being blocked directly.

The choice between letting users approve verified apps and blocking user consent (but enabling consent workflows to preserve productivity) comes down to your organization’s size and security strategy. If in doubt, and if there isn’t any company strategy regarding this, I mostly suggest “Do not allow user consent”. This, combined with approval workflows, will add a bit of overhead, but it’s very manageable in most small to medium-sized tenants.

Remember, after you block (or only allow approved apps) consent, applications that were previously approved will still be allowed to access your org data. The next step is usually to conduct a rigorous analysis of formerly approved apps.

In Entra ID, administrators can also delegate app control to group owners for data related to their group, such as Teams content, allowing them to consent to applications for members of their group. Again, in this field, I’m mostly against allowing group owner consent if there isn’t a clear strategy for managing apps.

Steps

• Head into Entra, then go to Enterprise Applications, Consent and permissions, or click on this link: https://portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings
• Under User consent for applications, depending on your organization, select either Do not allow user consent or Allow user consent for apps from verified publishers, for selected permissions. If in doubt, and if there isn’t any company strategy regarding this, I suggest “Do not allow user consent.

• Under Group owner consent for apps accessing data, click Do not allow group owner consent. 
• Now, head into Admin consent settings from the menu on the left. Here, we’ll enable users to request application approval and who can approve them.
• Enable “Users can request admin consent to apps they are unable to consent to“
• I usually configure a limited number of admins, add them as members of a group, and add the group under the Groups tab. If you add a non-privileged user to this group, the user will get notifications for app approvals and will be able to deny the requests but not approve them, as this requires higher permissions.

• Enable email notifications for requests and enable reminders.
• Configure Consent requests as appropriate. In most cases, leaving 30 days is the optimal choice.
• Save

If you have selected earlier Allow user consent for apps from verified publishers, for selected permissions, under “Permission classifications” on the left, you’ll be able to customize permissions that users can approve without admin requests.