Application Permissions - Ensure the User Consent Workflow is Enabled

 









Summary

If the admin consent workflow is not enabled, then, the user in a tenant will be blocked whenever they try to access any app that requires permissions to access organizational data. A generic error message will be seen saying that they are unauthorized to access the app and they should ask their admin for help.

Reason

This setup will offer a secure way to grant access to the applications requiring admin approval. Hence, when a user is unable to provide consent, they can send a request for admin approval via email to the admins designated as reviewers. A reviewer will act on the request, and the user will be notified of the action. 

What If?

In order to approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator, must already have one of these admin roles assigned; simply designating them as reviewer doesn't elevate their privileges.

How to?

To enable the admin consent workflow (Preview), use the Microsoft 365 Admin Center:
  1. Select Admin centers and Azure Active Directory.
  2. Select Enterprise Applications from the Azure navigation pane.
  3. Under Manage, pick Users settings.
  4. Now, set Users can request admin consent to apps they are unable to consent to, to Yes under Admin consent requests.
  5. Under the Reviewers, choose the Roles, Groups that you would like to review user generated app consent requests.
  6. Click the Save button at the top of the window.

Monitor:

To verify the admin consent workflow (Preview) is enabled, use the Microsoft 365 Admin Center:
  1. Select Admin centers and Azure Active Directory.
  2. Select Enterprise Applications from the Azure navigation pane.
  3. Under Manage, pick Users settings.
  4. Now, verify that Users can request admin consent to apps they are unable to consent to, is set to Yes.






























































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)