Grant tenant-wide admin consent to an application

In this article, you'll learn how to grant tenant-wide admin consent to an application in Azure Active Directory (Azure AD).

When you grant tenant-wide admin consent to an application, all users can sign in to the app. To restrict which users can sign in to an application, configure the app to require user assignment and then assign users or groups to the application. For more information, see Methods for assigning users and groups.

Tenant-wide admin consent to an app grants the app and the app's publisher access to your organization's data. Carefully review the permissions that the application is requesting before you grant consent. For more information on consenting to applications, see Azure Active Directory consent framework.

Granting tenant-wide admin consent may revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.

Prerequisites

Granting tenant-wide admin consent requires you to sign in as a user that is authorized to consent on behalf of the organization.

To grant tenant-wide admin consent, you need:

You can grant tenant-wide admin consent through Enterprise applications if the application has already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application. For more information, see How and why applications are added to Azure Active Directory.

To grant tenant-wide admin consent to an app listed in Enterprise applications:

  1. Sign in to the Azure portal with one of the roles listed in the prerequisites section.

  2. Select Azure Active Directory, and then select Enterprise applications.

  3. Select the application to which you want to grant tenant-wide admin consent, and then select Permissions. Screenshot shows how to grant tenant-wide admin consent.

  4. Carefully review the permissions that the application requires. If you agree with the permissions the application requires, select Grant admin consent.

For applications your organization has developed, or which are registered directly in your Azure AD tenant, you can also grant tenant-wide admin consent from App registrations in the Azure portal.

To grant tenant-wide admin consent from App registrations:

  1. Sign in to the Azure portal with one of the roles listed in the prerequisites section.
  2. Select Azure Active Directory, and then select App registrations.
  3. Select the application to which you want to grant tenant-wide admin consent.
  4. Select API permissions.
  5. Carefully review the permissions that the application requires. If you agree, select Grant admin consent.

When granting tenant-wide admin consent using either method described above, a window opens from the Azure portal to prompt for tenant-wide admin consent. If you know the client ID (also known as the application ID) of the application, you can build the same URL to grant tenant-wide admin consent.

The tenant-wide admin consent URL follows the following format:

https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}

where:

  • {client-id} is the application's client ID (also known as app ID).
  • {tenant-id} is your organization's tenant ID or any verified domain name.

As always, carefully review the permissions an application requests before granting consent.

Next steps

Configure how end-users consent to applications

Configure the admin consent workflow