Configure permission classifications

Permission classifications allow you to identify the impact that different permissions have according to your organization's policies and risk evaluations. For example, you can use permission classifications in consent policies to identify the set of permissions that users are allowed to consent to.


To complete the tasks in this guide, you need the following:

Manage permission classifications

Currently, only the "Low impact" permission classification is supported. Only delegated permissions that don't require admin consent can be classified as "Low impact".


The minimum permissions needed to do basic sign in are openid, profile, email, User.Read and offline_access, which are all delegated permissions on the Microsoft Graph. With these permissions an app can read the full profile details of the signed-in user and can maintain this access even when the user is no longer using the app.

Follow these steps to classify permissions using the Azure portal:

  1. Sign in to the Azure portal as a Global Administrator, Application Administrator, or Cloud Application Administrator
  2. Select Azure Active Directory > Enterprise applications > Consent and permissions > Permission classifications.
  3. Choose Add permissions to classify another permission as "Low impact".
  4. Select the API and then select the delegated permission(s).

In this example, we've classified the minimum set of permission required for single sign-on:

Permission classifications

Next steps

To learn more:

To get help or find answers to your questions: