Configure permission classifications
Permission classifications allow you to identify the impact that different permissions have according to your organization's policies and risk evaluations. For example, you can use permission classifications in consent policies to identify the set of permissions that users are allowed to consent to.
To complete the tasks in this guide, you need the following:
- An Azure account with an active subscription. Create an account for free.
- A Global Administrator role.
- Set up Azure AD PowerShell. See Azure AD PowerShell
Manage permission classifications
Currently, only the "Low impact" permission classification is supported. Only delegated permissions that don't require admin consent can be classified as "Low impact".
The minimum permissions needed to do basic sign in are
offline_access, which are all delegated permissions on the Microsoft Graph. With these permissions an app can read the full profile details of the signed-in user and can maintain this access even when the user is no longer using the app.
Follow these steps to classify permissions using the Azure portal:
- Sign in to the Azure portal as a Global Administrator, Application Administrator, or Cloud Application Administrator
- Select Azure Active Directory > Enterprise applications > Consent and permissions > Permission classifications.
- Choose Add permissions to classify another permission as "Low impact".
- Select the API and then select the delegated permission(s).
In this example, we've classified the minimum set of permission required for single sign-on:
To learn more:
- Configure user consent settings
- Configure the admin consent workflow
- Learn how to manage consent to applications and evaluate consent requests
- Grant tenant-wide admin consent to an application
- Permissions and consent in the Microsoft identity platform
To get help or find answers to your questions: