{
	"id": "d8616c14-f555-4f06-a7e8-2cb44410d2c7",
	"created_at": "2026-04-06T00:19:40.174023Z",
	"updated_at": "2026-04-10T03:20:47.212093Z",
	"deleted_at": null,
	"sha1_hash": "ff5f425adf18b9311c01d3f288f48699fdfd2d34",
	"title": "Configure how users consent to applications - Microsoft Entra ID",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 106070,
	"plain_text": "Configure how users consent to applications - Microsoft Entra ID\r\nBy omondiatieno\r\nArchived: 2026-04-05 13:12:40 UTC\r\nIn this article, you learn how to configure user consent settings in Microsoft Entra ID to control when and how\r\nusers grant permissions to applications. This guidance helps IT admins reduce security risks by restricting or\r\ndisabling user consent.\r\nBefore an application can access your organization's data, a user must grant the application permissions to do so.\r\nDifferent permissions allow different levels of access. By default, all users are allowed to consent to applications\r\nfor permissions that don't require administrator consent. For example, by default, a user can consent to allow an\r\napp to access their mailbox but can't consent to allow an app unfettered access to read and write to all files in your\r\norganization.\r\nTo reduce the risk of malicious applications attempting to trick users into granting them access to your\r\norganization's data, we recommend that you allow user consent only for applications that have been published by a\r\nverified publisher.\r\nNote\r\nApplications that require users to be assigned to the application must have their permissions consented by an\r\nadministrator, even if the user consent policies for your directory would otherwise allow a user to consent on\r\nbehalf of themselves.\r\nPrerequisites\r\nTo configure user consent, you need:\r\nA user account. If you don't already have one, you can create an account for free.\r\nA Privileged Role Administrator role.\r\nA Global Administrator role is only required when using the Microsoft Entra admin center.\r\nConfigure user consent settings\r\nYou can configure user consent settings in Microsoft Entra ID using either the Microsoft Entra admin center,\r\nMicrosoft Graph PowerShell, or Microsoft Graph API. The settings you configure apply to all users in your\r\norganization.\r\nConfigure user consent in Microsoft Entra admin center\r\nTo configure user consent settings through the Microsoft Entra admin center:\r\n1. Sign in to the Microsoft Entra admin center as a Global Administrator.\r\nhttps://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal\r\nPage 1 of 6\n\n2. Browse to Identity \u003e Applications \u003e Enterprise apps \u003e Consent and permissions \u003e User consent\r\nsettings.\r\n3. Under User consent for applications, select which consent setting you want to configure for all users.\r\n4. Select Save to save your settings.\r\nUnderstand authorization and permission grant policies in Microsoft Graph PowerShell\r\nTo configure user consent settings programmatically using Microsoft Graph PowerShell, it's important to\r\nunderstand the distinction between the tenant-wide authorization policy and individual permission grant\r\npolicies. The authorizationPolicy , retrieved using Update-MgPolicyAuthorizationPolicy governs global\r\nsettings such as whether users can consent to apps and which permission grant policies are assigned to the default\r\nuser role. For example, you can disable user consent while still allowing developers to manage permissions for the\r\napps they own by assigning only ManagePermissionGrantsForOwnedResource.DeveloperConsent in the\r\npermissionGrantPoliciesAssigned collection.\r\nOn the other hand, the permissionGrantPolicies endpoint lists your current permission grant policies. These\r\npolicies determine what permissions can be granted to applications and under what circumstances. Each policy\r\n'includes' certain conditions, but 'excludes' others. When a user tries to consent to an application, the system\r\nchecks the permission grant policies to see if any of them apply to the user's request. For example, the low-risk\r\npolicy would allow users to consent to those permissions configured as 'low risk'. It includes these low-risk\r\npolicies (as a GUID). In another scenario, if a user tries to consent in a context that matches the 'AdminOnly'\r\npolicy, they're unable to consent.\r\nNote\r\nBefore updating consent settings with a Update-MgPolicyPermissionGrantPolicy command, always retrieve the\r\ncurrent authorizationPolicy to identify which permission grant policies are already assigned. This ensures you\r\npreserve necessary permissions—such as those enabling developers to manage consent for apps they own—and\r\navoid unintentionally removing existing functionality.\r\nTo choose which app consent policy governs user consent for applications, use the Microsoft Graph PowerShell\r\nmodule. The cmdlets used here are included in the Microsoft.Graph.Identity.SignIns module.\r\nhttps://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal\r\nPage 2 of 6\n\nConnect to Microsoft Graph PowerShell using the least-privilege permission needed. For reading the current user\r\nconsent settings, use Policy.Read.All. For reading and changing the user consent settings, use\r\nPolicy.ReadWrite.Authorization. You need to sign in as a Privileged Role Administrator.\r\nConnect-MgGraph -Scopes \"Policy.ReadWrite.Authorization\"\r\nDisable user consent using Microsoft Graph PowerShell\r\nTo disable user consent, ensure that the consent policies ( PermissionGrantPoliciesAssigned ) include other\r\ncurrent ManagePermissionGrantsForOwnedResource.* policies if any while updating the collection. This way, you\r\ncan maintain your current configuration for user consent settings and other resource consent settings.\r\n# only exclude user consent policy\r\n$body = @{\r\n \"permissionGrantPolicyIdsAssignedToDefaultUserRole\" = @(\r\n \"managePermissionGrantsForOwnedResource.{other-current-policies}\"\r\n )\r\n}\r\nUpdate-MgPolicyAuthorizationPolicy -BodyParameter $body\r\nAllow user consent subject to an app consent policy using PowerShell\r\nTo allow user consent, choose which app consent policy should govern users' authorization to grant consent to\r\napps. Ensure that the consent policies ( PermissionGrantPoliciesAssigned ) include other current\r\nManagePermissionGrantsForOwnedResource.* policies if any while updating the collection. This way, you can\r\nmaintain your current configuration for user consent settings and other resource consent settings.\r\n$body = @{\r\n \"permissionGrantPolicyIdsAssignedToDefaultUserRole\" = @(\r\n \"managePermissionGrantsForSelf.{consent-policy-id}\",\r\n \"managePermissionGrantsForOwnedResource.{other-current-policies}\"\r\n )\r\n}\r\nUpdate-MgPolicyAuthorizationPolicy -BodyParameter $body\r\nReplace {consent-policy-id} with the ID of the policy you want to apply. You can choose a custom app\r\nconsent policy that you've created, or you can choose from the following built-in policies:\r\nID Description\r\nmicrosoft-user-default-lowAllow user consent for apps from verified publishers, for selected permissions\r\nAllow limited user consent only for apps from verified publishers and apps that are\r\nregistered in your tenant, and only for permissions that you classify as low impact.\r\nhttps://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal\r\nPage 3 of 6\n\nID Description\r\n(Remember to classify permissions to select which permissions users are allowed to\r\nconsent to.)\r\nmicrosoft-user-default-legacy\r\nAllow user consent for apps\r\nThis option allows all users to consent to any permission that doesn't require admin\r\nconsent, for any application\r\nFor example, to enable user consent subject to the built-in policy microsoft-user-default-low , run the\r\nfollowing commands:\r\n$body = @{\r\n \"permissionGrantPolicyIdsAssignedToDefaultUserRole\" = @(\r\n \"managePermissionGrantsForSelf.managePermissionGrantsForSelf.microsoft-user-default-low\",\r\n \"managePermissionGrantsForOwnedResource.{other-current-policies}\"\r\n )\r\n}\r\nUnderstand authorization and permission grant policies in Microsoft Graph\r\nTo configure user consent settings programmatically using Microsoft Graph, it's important to understand the\r\ndistinction between the tenant-wide authorization policy and individual permission grant policies. The\r\nauthorizationPolicy (retrieved using GET\r\nhttps://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy ) governs global\r\nsettings such as whether users can consent to apps and which permission grant policies are assigned to the default\r\nuser role. For example, you can disable user consent while still allowing developers to manage permissions for the\r\napps they own by assigning only ManagePermissionGrantsForOwnedResource.DeveloperConsent in the\r\npermissionGrantPoliciesAssigned collection.\r\nOn the other hand, the permissionGrantPolicies endpoint ( GET\r\nhttps://graph.microsoft.com/v1.0/policies/permissionGrantPolicies ) lists your current permission grant\r\npolicies. These policies determine what permissions can be granted to applications and under what circumstances.\r\nEach policy 'includes' certain conditions, but 'excludes' others. When a user tries to consent to an application, the\r\nsystem checks the permission grant policies to see if any of them apply to the user's request. For example, the low-risk policy would allow users to consent to those permissions configured as 'low risk'. It includes these low-risk\r\npolicies (as a GUID). In another scenario, if a user tries to consent in a context that matches the 'AdminOnly'\r\npolicy, they're unable to consent.\r\nNote\r\nBefore updating consent settings with a PATCH request, always retrieve the current authorizationPolicy to\r\nidentify which permission grant policies are already assigned. This ensures you preserve necessary permissions—\r\nsuch as those enabling developers to manage consent for apps they own—and avoid unintentionally removing\r\nexisting functionality.\r\nhttps://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal\r\nPage 4 of 6\n\nUse the Graph Explorer to choose which app consent policy governs user consent for applications. You need to\r\nsign in as a Privileged Role Administrator.\r\nDisable user consent using Microsoft Graph\r\nTo disable user consent, ensure that the consent policies ( PermissionGrantPoliciesAssigned ) include other\r\ncurrent ManagePermissionGrantsForOwnedResource.* policies if any while updating the collection. This way, you\r\ncan maintain your current configuration for user consent settings and other resource consent settings.\r\nPATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy\r\n{\r\n \"defaultUserRolePermissions\": {\r\n \"permissionGrantPoliciesAssigned\": [\r\n \"managePermissionGrantsForOwnedResource.{other-current-policies}\"\r\n ]\r\n }\r\n}\r\nAllow user consent subject to an app consent policy using Microsoft Graph\r\nTo allow user consent, choose which app consent policy should govern users' authorization to grant consent to\r\napps. Ensure that the consent policies ( PermissionGrantPoliciesAssigned ) include other current\r\nManagePermissionGrantsForOwnedResource.* policies if any while updating the collection. This way, you can\r\nmaintain your current configuration for user consent settings and other resource consent settings.\r\nPATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy\r\n{\r\n \"defaultUserRolePermissions\": {\r\n \"managePermissionGrantsForSelf.{consent-policy-id}\",\r\n \"managePermissionGrantsForOwnedResource.{other-current-policies}\"\r\n }\r\n}\r\nReplace {consent-policy-id} with the ID of the policy you want to apply. You can choose a custom app\r\nconsent policy that you've created, or you can choose from the following built-in policies:\r\nID Description\r\nmicrosoft-user-default-low\r\nAllow user consent for apps from verified publishers, for selected permissions\r\nAllow limited user consent only for apps from verified publishers and apps that are\r\nregistered in your tenant, and only for permissions that you classify as low impact.\r\n(Remember to classify permissions to select which permissions users are allowed to\r\nconsent to.)\r\nhttps://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal\r\nPage 5 of 6\n\nID Description\r\nmicrosoft-user-default-legacy\r\nAllow user consent for apps\r\nThis option allows all users to consent to any permission that doesn't require admin\r\nconsent, for any application\r\nFor example, to enable user consent subject to the built-in policy microsoft-user-default-low , use the\r\nfollowing PATCH command:\r\nPATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy\r\n{\r\n \"defaultUserRolePermissions\": {\r\n \"permissionGrantPoliciesAssigned\": [\r\n \"managePermissionGrantsForSelf.microsoft-user-default-low\",\r\n \"managePermissionGrantsForOwnedResource.{other-current-policies}\"\r\n ]\r\n }\r\n}\r\nAny updates to user consent settings only affect future consent operations for applications. Existing consent grants\r\nremain unchanged, and users continue to have access based on the permissions previously granted. To learn how\r\nto revoke existing consent grants, see Review permissions granted to enterprise applications.\r\nTip\r\nTo allow users to request an administrator's review and approval of an application that the user isn't allowed to\r\nconsent to, enable the admin consent workflow. For example, you might do this when user consent has been\r\ndisabled or when an application is requesting permissions that the user isn't allowed to grant.\r\nNext steps\r\nManage app consent policies\r\nConfigure the admin consent workflow\r\nSource: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal\r\nhttps://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal"
	],
	"report_names": [
		"configure-user-consent?pivots=portal"
	],
	"threat_actors": [],
	"ts_created_at": 1775434780,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff5f425adf18b9311c01d3f288f48699fdfd2d34.pdf",
		"text": "https://archive.orkl.eu/ff5f425adf18b9311c01d3f288f48699fdfd2d34.txt",
		"img": "https://archive.orkl.eu/ff5f425adf18b9311c01d3f288f48699fdfd2d34.jpg"
	}
}