Grant tenant-wide admin consent to an application

Learn how to simplify the user experience by granting tenant-wide admin consent to an application. This article gives the different ways to achieve this. The methods apply to all end users in your Azure Active Directory (Azure AD) tenant.

For more information on consenting to applications, see Azure Active Directory consent framework.

Prerequisites

Granting tenant-wide admin consent requires you to sign in as Global Administrator, an Application Administrator, or a Cloud Application Administrator.

Important

When an application has been granted tenant-wide admin consent, all users will be able to sign in to the app unless it has been configured to require user assignment. To restrict which users can sign in to an application, require user assignment and then assign users or groups to the application. For more information, see Methods for assigning users and groups.

The Global Administrator role is required in order to provide admin consent for application permissions to the Microsoft Graph API.

Warning

Granting tenant-wide admin consent to an application will grant the app and the app's publisher access to your organization's data. Carefully review the permissions the application is requesting before granting consent.

The Global Administrator role is required in order to provide admin consent for application permissions to the Microsoft Graph API.

You can grant tenant-wide admin consent through Enterprise applications if the application has already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application. For more information, see How and why applications are added to Azure Active Directory.

To grant tenant-wide admin consent to an app listed in Enterprise applications:

  1. Sign in to the Azure portal as a Global Administrator, an Application Administrator, or a Cloud Application Administrator.
  2. Select Azure Active Directory then Enterprise applications.
  3. Select the application to which you want to grant tenant-wide admin consent.
  4. Select Permissions and then click Grant admin consent.
  5. Carefully review the permissions the application requires.
  6. If you agree with the permissions the application requires, grant consent. If not, click Cancel or close the window.

Warning

Granting tenant-wide admin consent through Enterprise apps will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.

For applications your organization has developed, or which are registered directly in your Azure AD tenant, you can also grant tenant-wide admin consent from App registrations in the Azure portal.

To grant tenant-wide admin consent from App registrations:

  1. Sign in to the Azure portal as a Global Administrator, an Application Administrator, or a Cloud Application Administrator.
  2. Select Azure Active Directory then App registrations.
  3. Select the application to which you want to grant tenant-wide admin consent.
  4. Select API permissions and then click Grant admin consent.
  5. Carefully review the permissions the application requires.
  6. If you agree with the permissions the application requires, grant consent. If not, click Cancel or close the window.

Warning

Granting tenant-wide admin consent through App registrations will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.

When granting tenant-wide admin consent using either method described above, a window opens from the Azure portal to prompt for tenant-wide admin consent. If you know the client ID (also known as the application ID) of the application, you can build the same URL to grant tenant-wide admin consent.

The tenant-wide admin consent URL follows the following format:

https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}

where:

  • {client-id} is the application's client ID (also known as app ID).
  • {tenant-id} is your organization's tenant ID or any verified domain name.

As always, carefully review the permissions an application requests before granting consent.

Warning

Granting tenant-wide admin consent through this URL will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.

Next steps

Configure how end-users consent to applications

Configure the admin consent workflow

Permissions and consent in the Microsoft identity platform

Azure AD on StackOverflow