Configure how users consent to applications

In this article, you'll learn how to configure the way users consent to applications and how to disable all future user consent operations to applications.

Before an application can access your organization's data, a user must grant the application permissions to do so. Different permissions allow different levels of access. By default, all users are allowed to consent to applications for permissions that don't require administrator consent. For example, by default, a user can consent to allow an app to access their mailbox but can't consent to allow an app unfettered access to read and write to all files in your organization.

Important

To reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, we recommend that you allow user consent only for applications that have been published by a verified publisher.

Prerequisites

To configure user consent, you need:

  • A user account. If you don't already have one, you can create an account for free.
  • A Global Administrator or Privileged Administrator role.

To configure user consent settings through the Azure portal, do the following:

  1. Sign in to the Azure portal as a Global Administrator.

  2. Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.

  3. Under User consent for applications, select which consent setting you want to configure for all users.

  4. Select Save to save your settings.

Screenshot of the 'User consent settings' pane.

Tip

To allow users to request an administrator's review and approval of an application that the user isn't allowed to consent to, enable the admin consent workflow. For example, you might do this when user consent has been disabled or when an application is requesting permissions that the user isn't allowed to grant.

Next steps