In this article, you'll learn how to configure the way users consent to applications and how to disable all future user consent operations to applications.
Before an application can access your organization's data, a user must grant the application permissions to do so. Different permissions allow different levels of access. By default, all users are allowed to consent to applications for permissions that don't require administrator consent. For example, by default, a user can consent to allow an app to access their mailbox but can't consent to allow an app unfettered access to read and write to all files in your organization.
Important
To reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, we recommend that you allow user consent only for applications that have been published by a verified publisher.
Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
Under User consent for applications, select which consent setting you want to configure for all users.
Select Save to save your settings.
To choose which app consent policy governs user consent for applications, you can use the latest Azure AD PowerShell module.
Note
The instructions below use the generally available Azure AD PowerShell module (AzureAD). The parameter names are different in the preview version of this module (AzureADPreview). If you have both modules installed, ensure you're using the cmdlet from the correct module by first running:
Replace {consent-policy-id} with the ID of the policy you want to apply. You can choose a custom app consent policy that you've created, or you can choose from the following built-in policies:
ID
Description
microsoft-user-default-low
Allow user consent for apps from verified publishers, for selected permissions Allow limited user consent only for apps from verified publishers and apps that are registered in your tenant, and only for permissions that you classify as low impact. (Remember to classify permissions to select which permissions users are allowed to consent to.)
microsoft-user-default-legacy
Allow user consent for apps This option allows all users to consent to any permission that doesn't require admin consent, for any application
For example, to enable user consent subject to the built-in policy microsoft-user-default-low, run the following commands:
To allow users to request an administrator's review and approval of an application that the user isn't allowed to consent to, enable the admin consent workflow. For example, you might do this when user consent has been disabled or when an application is requesting permissions that the user isn't allowed to grant.
