Configure permission classifications

In this article you'll learn how to configure permissions classifications in Azure Active Directory (Azure AD). Permission classifications allow you to identify the impact that different permissions have according to your organization's policies and risk evaluations. For example, you can use permission classifications in consent policies to identify the set of permissions that users are allowed to consent to.

Currently, only the "Low impact" permission classification is supported. Only delegated permissions that don't require admin consent can be classified as "Low impact".

The minimum permissions needed to do basic sign in are openid, profile, email, User.Read and offline_access, which are all delegated permissions on the Microsoft Graph. With these permissions an app can read the full profile details of the signed-in user and can maintain this access even when the user is no longer using the app.

Prerequisites

To configure permission classifications, you need:

  • An Azure account with an active subscription. Create an account for free.
  • One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Manage permission classifications

Follow these steps to classify permissions using the Azure portal:

  1. Sign in to the Azure portal as a Global Administrator, Application Administrator, or Cloud Application Administrator
  2. Select Azure Active Directory > Enterprise applications > Consent and permissions > Permission classifications.
  3. Choose Add permissions to classify another permission as "Low impact".
  4. Select the API and then select the delegated permission(s).

In this example, we've classified the minimum set of permission required for single sign-on:

Permission classifications

Next steps

To learn more: