The Admin Consent Workflow in Microsoft Entra ID is a feature designed to manage user consent for enterprise application permissions. It allows administrators to review, approve, or deny permission requests before access is granted. Instead of allowing users to grant extensive permissions directly, the Admin Consent Workflow ensures that only authorized applications can access sensitive data. For instance, an application might request permission to access a user’s profile or read the contents of their mailbox. By introducing this workflow, organizations can effectively enforce the principle of least privilege and reduce the risk of unintentional data exposure.
This blog post provides a guide on how to configure the Admin Consent Workflow in Microsoft Entra ID. It demonstrates how users can submit permission requests for applications and how these requests can be reviewed and processed.
Requirements and licensing
Licensing
The Admin Consent Workflow in Microsoft Entra ID requires the following license:
- Microsoft Entra ID P1 or higher
An overview of Microsoft licensing plans and their features is available at https://m365maps.com/.
Roles
For configuring the Admin Consent Workflow, reviewing requests, and approving or denying access requests, the following roles are appropriate based on the principle of least privilege:
| Role | Description |
| Global Administrator | Configure and enable the Admin Consent Workflow; review, approve, or deny permission requests |
| *Privileged Role Administrator *Cloud Application Administrator | Review, approve, or deny permission requests |
* Details about these roles can be found here: Grant tenant-wide admin consent to an application – Microsoft Entra ID | Microsoft Learn
Configuring the Admin Consent Workflow in Microsoft Entra ID
Configuring User Consent in Microsoft Entra ID
User Consent in Microsoft Entra ID controls whether, and to what extent, users are allowed to grant applications access to organizational data. Without centralized control, there is a risk that users may unintentionally authorize applications to access sensitive information without being aware of potential security or compliance implications.
User consent is configured in the Microsoft Entra admin center https://entra.microsoft.com) by navigating to Identity > Applications > Enterprise applications > Consent and permissions > User consent settings.
The following options are available when configuring user consent, allowing you to control third-party app access to organizational data:
- Do not allow user consent
Only administrators can authorise applications to access data. This option offers the highest level of security, but requires more administrative effort. - Allow user consent for selected permissions
Users can authorize applications from verified publishers if the requested permissions are classified as low impact. Approved permissions are defined through permission classifications. This setting offers a balanced approach between security and usability. - Allow user consent for all apps
All users can grant any application access to data, regardless of publisher verification or risk classification. This configuration is not recommended due to security concerns.
For maximum security, it is recommended to select the Do not allow user consent option.
Enabling the Admin Consent Workflow in Microsoft Entra ID
Admin Consent in Microsoft Entra ID enables secure and controlled management of application permissions. It governs how users can submit consent requests for applications that require permissions they are not authorized to approve themselves. By leveraging the Admin Consent Workflow, access to sensitive resources is effectively controlled, enhancing the overall security of the environment.
Admin consent is configured in the Microsoft Entra admin center (https://entra.microsoft.com) by navigating to Identity > Applications > Enterprise applications > Consent and permissions > Admin consent settings.
The following options can be configured in the Admin Consent Workflow to control the approval process:
- Enable Admin Consent Workflow
Set this option to Yes to activate the Admin Consent Workflow, allowing users to submit access requests to designated reviewers. - Assign reviewers
Specify users, groups, or roles responsible for reviewing and approving access requests. - Enable email notifications
Notify reviewers via email when new access requests are submitted. - Configure reminder emails
Send reminder emails to reviewers when a request is nearing expiration and has not yet been processed. - Define request expiration period
Set the maximum validity period for pending access requests before they automatically expire.
Permission Classifications in Microsoft Entra ID
Permission Classifications in the Microsoft Entra admin center allow API permissions to be categorized based on their risk profile, such as low, medium, or high. This classification enables automated user consent decisions, allowing users to grant certain permissions without requiring additional approval.
API permission classifications are configured in the Microsoft Entra admin center (https://entra.microsoft.com) by navigating to Identity > Applications > Enterprise applications > Consent and permissions > Permission classifications.
Classifications can be configured either broadly for most commonly requested application permissions (1), or granularly on a per-API basis (2).
Admin Experience and User Experience
User Experience
If a user is not authorized to approve a permission request for an enterprise application, a corresponding message is displayed. By providing a justification (1) and clicking Request approval (2), the Admin Consent Workflow is initiated.
The approval request has been successfully submitted and is now pending further action by an reviewer.
Admin Experience
Each reviewer receives the approval request via email.
Requests are managed in the Microsoft Entra admin centre (https://entra.microsoft.com) by navigating to Identity > Applications > Enterprise applications > Admin consent requests > My pending requests
The reviewer now has the option to either deny (2) or block (1) it.
Denying means that the current approval request is rejected once. Blocking, on the other hand, prevents any future approval requests for this application from being submitted.
The reviewer can view, deny, or block an approval request. To view the requested permissions and approve them, one of the following roles is required: Global Administrator, Privileged Role Administrator or Cloud Application Administrator.
If the requested permissions are appropriate, the request can be approved by clicking Accept.
In the Microsoft Entra admin center (https://entra.microsoft.com) navigate to Identity > Applications > Enterprise applications > All applications > Select application > Permissions, to view the granted permissions. The application is now authorized and ready for use within the organization.
Follow me on LinkedIn and Bluesky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
