Application Approval for Organisation: Admin Consent in Microsoft Entra ID (formerly Azure AD)
(For use when your integration requests elevated permissions)
1. Introduction
This document explains how an organisation’s IT/Office admin can approve (or block) an application that requests permissions (such as “Send mail as you”, “Sign in and read your profile”, “Maintain access to data you have given it access to”) in Microsoft Entra ID.
It covers:
-
the difference between user consent vs admin consent
-
how to grant tenant-wide admin consent
-
how to configure the admin consent workflow (so end-users can request approval)
-
how to restrict user consent and maintain control
-
some best practices for your clients.
2. Concepts: User Consent vs Admin Consent
Key points:
-
Consent = authorising an application to access resources/data in the tenant. Microsoft Learn+1
-
User consent: when a regular user signs in and approves an app’s requested permissions (delegated permissions). Some permissions require only user consent. Microsoft Learn+1
-
Admin consent: requires an administrator to approve – either for one user, or tenant-wide (for all users). Especially when permissions requested are high-risk (application permissions, “read all mailboxes”, “manage directory” etc). GitHub+2Microsoft Learn+2
-
Many organisations disable or restrict user consent by policy; hence apps may be blocked until admin approves. Microsoft Learn+1
Why this matters for your integration:
Since your app is requesting “Send mail as you”, “Maintain access …” etc, these may trigger admin-consent requirements depending on the client’s policy. The client’s tenant admin will need to review and approve your app if user consent alone is not permitted.
3. How to Grant Tenant-Wide Admin Consent
Steps for the admin:
-
Sign in to the Microsoft Entra admin centre with a role that has permission (e.g., Privileged Role Administrator, Cloud Application Administrator) GitHub+1
-
Navigate to: Identity (or Entra ID) → Enterprise applications → All applications. Search for the application (e.g., your integration). Microsoft Learn+1
-
Select the application → under Security select Permissions (or “API permissions”) → review the list of permissions the app requests. Microsoft Learn
-
If agreeable: select Grant admin consent (for the entire tenant). Confirm. Azure Documentation
-
Optionally: If they do not want all users to access it, they can restrict sign-in via User assignment required and assign only specific users/groups. Microsoft Learn+1
Important caveats:
-
Granting tenant-wide admin consent is a sensitive operation: you are effectively authorising the app on behalf of all users. GitHub+1
-
The admin should review exactly which permissions the app is requesting and whether they align with required functionality. Microsoft Learn
-
If the app later requests new permissions, further admin consent may be required.
4. Configuring the Admin Consent Workflow
Purpose: This workflow allows end-users to request access to an application when user consent is blocked or limited, rather than admins having to manually allocate each new app. Microsoft Learn+1
Steps for enabling:
-
Sign in to the Microsoft Entra admin centre as Global Administrator. Microsoft Learn
-
Navigate to: Identity (or Entra ID) → Enterprise applications → Consent and permissions → Admin consent settings. Azure Documentation
-
Enable “Users can request admin consent to apps they are unable to consent to”. Then specify who can serve as reviewers (users/groups/roles) for approval. Enable email notifications if desired. Set expiration period for requests. Azure Documentation+1
-
Save settings. It may take up to ~1 hour to take effect.
What the user sees:
When an end-user tries to use an app requiring permissions they cannot approve themselves, they see a “Need admin approval” or “Request approval” prompt. The request is routed to designated reviewers. Microsoft Learn
Best practice:
-
Limit the number of people who can approve to reduce risk. Use reviewers rather than granting global consent by default. Microsoft Learn
-
Audit and monitor all granted consents and requests. Microsoft Learn
5. Configuring User Consent Settings and Restricting Apps
Why configure this: Organisations often want to prevent users from freely granting access to unverified or high-risk apps. They control whether users can consent, and under what circumstances.
Steps:
-
Navigate to: Identity → Enterprise applications → Consent and permissions → User consent settings. Microsoft Learn
-
Choose from options such as: allow user consent for specific types of apps/permissions; block user consent entirely; require admin consent for all apps; etc. Microsoft Learn
-
You can also create and manage app consent policies (for example to restrict consent to only apps published by verified publishers). Microsoft Learn
For your integration: If the client’s tenant has user consent disabled (or limited), your app will prompt for admin consent. Make sure they are aware of this so they can plan for it.
6. Checklist for IT/Office Admin (Client side)
-
Identify the app registration: your integration (tenant-wide or multi-tenant) and confirm application ID.
-
In Entra admin centre → Enterprise applications, locate the application.
-
Under Permissions/API permissions, review each requested permission. Confirm necessity and scope.
-
Decide: will you grant tenant-wide admin consent (so all users can use the app) or restrict user access via user assignments.
-
If user assignments required, configure: Enterprise applications → application → Properties → User assignment required = Yes. Then assign users/groups.
-
Determine user consent policy: Are end users allowed to self-consent? If not, ensure the admin consent workflow is enabled.
-
Enable Admin consent workflow if desired (see Section 4). Assign reviewers.
-
Once ready, grant admin consent (see Section 3).
-
Communicate to end-users: they may see consent prompt or “Need admin approval”. Provide shortcuts or contact details.
-
Periodically audit: Enterprise applications → All applications → review permissions granted, usage/sign-ins, possible orphan consents. You may use the “Consent Insights” workbook or auditing logs. Microsoft Learn
7. Links to Microsoft Official Documentation
-
Grant tenant-wide admin consent to an application — Microsoft Learn. Microsoft Learn+1
-
Configure the admin consent workflow — Microsoft Learn. Microsoft Learn+1
-
Configure how users consent to applications — Microsoft Learn. Microsoft Learn
-
Overview of user and admin consent — Microsoft Learn. Microsoft Learn
-
Application consent management: Manage consent requests — Microsoft Learn. Microsoft Learn
-
Consent experience for applications — Microsoft Learn. Microsoft Learn
8. Notes / Additional Considerations
-
For multi-tenant applications (apps used across many organisations), the admin of each tenant must still approve the app in their own tenant. Microsoft Learn
-
If your app requests application permissions (i.e., no user context, full access), those always require admin consent. Microsoft Learn
-
Starting July 2025, Microsoft introduces a “Microsoft-managed consent policy” which may affect how user/app consent is handled. It is advised to plan ahead. blog.interian.be
-
Advise clients to only approve apps from trusted/verified publishers, to minimise risk of data exposure. Use the permissions review and audit logs regularly. Microsoft Learn