Grant tenant-wide admin consent to an application

Learn how to grant tenant-wide admin consent to an application. This article gives the different ways to achieve this.

For more information on consenting to applications, see Azure Active Directory consent framework.

Prerequisites

Granting tenant-wide admin consent requires you to sign in as a user that is authorized to consent on behalf of the organization. This includes Global Administrator and Privileged Role Administrator. For applications which do not require application permissions for Microsoft Graph or Azure AD Graph this also includes Application Administrator and Cloud Application Administrator. A user can also be authorized to grant tenant-wide consent if they are assigned a custom directory role that includes the permission to grant permissions to applications.

Warning

Granting tenant-wide admin consent to an application will grant the app and the app's publisher access to your organization's data. Carefully review the permissions the application is requesting before granting consent.

Important

When an application has been granted tenant-wide admin consent, all users will be able to sign in to the app unless it has been configured to require user assignment. To restrict which users can sign in to an application, require user assignment and then assign users or groups to the application. For more information, see Methods for assigning users and groups.

You can grant tenant-wide admin consent through Enterprise applications if the application has already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application. For more information, see How and why applications are added to Azure Active Directory.

To grant tenant-wide admin consent to an app listed in Enterprise applications:

  1. Sign in to the Azure portal with a role that allows granting admin consent (see Prerequisites).

  2. Select Azure Active Directory then Enterprise applications.

  3. Select the application to which you want to grant tenant-wide admin consent.

  4. Select Permissions and then click Grant admin consent. In this example, we use 10,000ft Plans applications.

    Screenshot shows how to grant tenant wide admin consent.

  5. Carefully review the permissions the application requires.

  6. If you agree with the permissions the application requires, grant consent. If not, click Cancel or close the window.

Warning

Granting tenant-wide admin consent through Enterprise apps will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.

For applications your organization has developed, or which are registered directly in your Azure AD tenant, you can also grant tenant-wide admin consent from App registrations in the Azure portal.

To grant tenant-wide admin consent from App registrations:

  1. Sign in to the Azure portal with a role that allows granting admin consent (see Prerequisites).
  2. Select Azure Active Directory then App registrations.
  3. Select the application to which you want to grant tenant-wide admin consent.
  4. Select API permissions and then click Grant admin consent.
  5. Carefully review the permissions the application requires.
  6. If you agree with the permissions the application requires, grant consent. If not, click Cancel or close the window.

Warning

Granting tenant-wide admin consent through App registrations will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.

When granting tenant-wide admin consent using either method described above, a window opens from the Azure portal to prompt for tenant-wide admin consent. If you know the client ID (also known as the application ID) of the application, you can build the same URL to grant tenant-wide admin consent.

The tenant-wide admin consent URL follows the following format:

https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}

where:

  • {client-id} is the application's client ID (also known as app ID).
  • {tenant-id} is your organization's tenant ID or any verified domain name.

As always, carefully review the permissions an application requests before granting consent.

Warning

Granting tenant-wide admin consent through this URL will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.

Next steps

Configure how end-users consent to applications

Configure the admin consent workflow

Permissions and consent in the Microsoft identity platform

Azure AD on Microsoft Q&A