I am testing having users request access to enterprise applications. I am worried about a user mistakenly giving a malicious app access to their data. However, it appears that the only approval option is to grant admin consent on behalf of the entire organization. Even if the original request was only for user consent. That doesn't seem more secure. Shouldn't there be an option to only grant user consent on behalf of the requesting user?
Some clarification: In the Azure Portal under Enterprise applications > User Settings, there is an option, "Users can consent to apps accessing company data on their behalf". By default, this is set to "yes" and allows a user to provide user consent for only themselves if that is what the app requires. When I set this option to "No", the user has to request access to the app.
These requests are approved under Enterprise Applications > Admin consent requests. However, I can only provide admin consent for the entire directory even though the application only requires user consent and only one user wants it.
I think I should be able to grant consent for just the requesting user or be able to select the users the app has rights to.
