APP-04: Enable Admin Consent Workflow

Overview

The admin consent workflow allows users to request access to applications that require administrator approval, rather than being blocked entirely or granted access without oversight. This creates a balance between user productivity and security governance. This guide walks you through configuring and managing the admin consent workflow in Microsoft Entra ID.

TrueConfig: TrueConfig can auto-configure the admin consent workflow settings with one click, enabling the workflow and applying the recommended configuration automatically.

Prerequisites

Required Roles

  • Global Administrator - Full access to configure consent settings
  • Cloud Application Administrator - Can configure consent settings and approve requests
  • Application Administrator - Can configure consent settings and approve requests

Required Licenses

  • Microsoft Entra ID (any tier)

Time Estimate

  • Initial Configuration: 20-30 minutes
  • Reviewer Setup: 10-15 minutes
  • Policy Documentation: 30 minutes

Step-by-Step Instructions

Step 1: Understand Current Consent Settings

Before configuring the workflow, review your current consent posture:

  1. Navigate to Microsoft Entra admin center (https://entra.microsoft.com)
  2. Go to IdentityApplicationsEnterprise applications
  3. Click Consent and permissions in the left menu
  4. Select User consent settings

Review the current settings:

  • User consent for applications: Controls whether users can consent to apps
  • Group owner consent: Controls consent for apps accessing group data
  • Risk-based step-up consent: Blocks risky consent requests

Step 2: Configure User Consent Settings

Recommended Configuration

  1. In User consent settings, configure:

    User consent for applications:

    • Select Allow user consent for apps from verified publishers, for selected permissions
    • This allows low-risk consent while requiring admin approval for sensitive permissions
  2. Click Save

Alternative Configurations

SettingUse CaseSecurity Level
Do not allow user consentHigh-security environmentsHighest
Allow for verified publishers + selected permissionsBalanced approachRecommended
Allow for verified publishersTrust verified appsMedium
Allow user consent for all appsDevelopment/testing onlyLowest

Step 3: Define Low-Risk Permission Classifications

Specify which permissions users can consent to without admin approval:

  1. In Consent and permissions, click Permission classifications

  2. Click + Add permissions

  3. Select Microsoft Graph as the API

  4. Add these low-risk permissions to the "Low" classification:

    • openid - Sign in
    • profile - View basic profile
    • email - View email address
    • User.Read - Read user profile
    • offline_access - Maintain access
  5. Click Add selected permissions

Low-Risk Permissions to Consider

# Authentication
openid
profile
email
offline_access

# Basic user data
User.Read
User.ReadBasic.All

# Calendar (read-only)
Calendars.Read
Calendars.Read.Shared

# Presence
Presence.Read
Presence.Read.All

Step 4: Enable Admin Consent Workflow

  1. Navigate to Consent and permissionsAdmin consent settings

  2. Set Users can request admin consent to apps they are unable to consent to to Yes

  3. Configure the workflow settings:

    Select users to review admin consent requests:

    • Click + Add users or + Add groups
    • Add your designated consent reviewers (e.g., "IT Security Team")
    • Recommended: Add 2-3 reviewers to ensure coverage

    Selected users will receive email notifications for requests:

    • Set to Yes

    Selected users will receive request expiration reminders:

    • Set to Yes

    Consent request expires after (days):

    • Set to 30 (adjust based on your SLA)
  4. Click Save

Step 5: Set Up Consent Request Reviewers

Designate Primary Reviewers

Select individuals or groups with:

  • Understanding of application security
  • Authority to approve business applications
  • Availability to respond within SLA

Recommended Reviewer Structure

RoleResponsibility
IT Security AnalystEvaluate permission risk
Application ManagerAssess business need
Cloud AdministratorTechnical approval

Create a Reviewer Security Group

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Group.ReadWrite.All"

# Create security group for consent reviewers
$group = New-MgGroup -DisplayName "Consent Request Reviewers" `
    -Description "Members can review and approve admin consent requests" `
    -SecurityEnabled:$true `
    -MailEnabled:$false `
    -MailNickname "consent-reviewers"

Write-Host "Created group: $($group.Id)"

# Add members
$reviewerIds = @("user1-id", "user2-id", "user3-id")
foreach ($userId in $reviewerIds) {
    New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $userId
}

Step 6: Configure Notification Settings

Custom Email Notifications

  1. In Admin consent settings, reviewers receive automatic notifications
  2. Configure your email system to not filter these as spam:
    • Sender: azure-noreply@microsoft.com
    • Subject contains: "Admin consent request"

Set Up Additional Alerts (Optional)

Create an Azure Logic App or Power Automate flow to:

  • Send Teams notifications for new requests
  • Create tickets in your ITSM system
  • Escalate overdue requests

Step 7: Document Your Consent Policy

Create a policy document covering:

Consent Request Process

  1. User attempts to access an application
  2. If admin consent required, user clicks "Request approval"
  3. User provides business justification
  4. Request submitted to reviewers via email
  5. Reviewers evaluate the request within SLA
  6. Request approved or denied with explanation

Evaluation Criteria for Reviewers

CriterionApprove If...Deny If...
PublisherVerified Microsoft partnerUnknown/unverified
PermissionsRead-only, limited scopeWrite access, .All scope
Business needClear, documented needNo justification provided
AlternativesNo safer alternative existsLess privileged option available
ComplianceMeets regulatory requirementsViolates data policies

SLA Guidelines

  • Initial response: 1 business day
  • Final decision: 5 business days
  • Escalation: After 3 business days without response

Step 8: Review and Process Consent Requests

Accessing Pending Requests

  1. Navigate to Entra admin centerIdentityApplications
  2. Click Enterprise applications
  3. In the left menu, click Admin consent requests
  4. View pending requests

Evaluating a Request

For each request, review:

  1. Requester: Who made the request? Is this a legitimate user?
  2. Application: What app is requesting access?
  3. Publisher: Is the publisher verified?
  4. Permissions: What access is being requested?
  5. Justification: Why does the user need this app?

Approving a Request

  1. Click on the request to open details
  2. Click Review permissions and consent
  3. Review the permissions one more time
  4. If approved:
    • Select Accept to grant admin consent
    • The user will be notified via email
    • The app becomes available to all users (or you can restrict via assignment)

Denying a Request

  1. Click on the request
  2. Click Deny
  3. Provide a reason (visible to the requester)
  4. Suggest alternatives if available

Verification Checklist

After configuring the admin consent workflow:

  • User consent settings are configured appropriately
  • Low-risk permissions are classified
  • Admin consent workflow is enabled
  • At least 2 reviewers are assigned
  • Email notifications are enabled and tested
  • Request expiration is set (30 days recommended)
  • Consent policy is documented and published
  • Reviewers understand the evaluation criteria
  • Test request submitted and processed successfully
  • Escalation process is defined

Troubleshooting

Issue: Users don't see the "Request admin consent" option

Cause: The admin consent workflow is not enabled or the app doesn't support it.

Solution:

  1. Verify Admin consent settings → "Users can request admin consent" is Yes
  2. Some legacy apps may not support the consent flow
  3. Clear browser cache and retry
  4. Ensure the user is not a guest account

Issue: Reviewers not receiving email notifications

Cause: Emails may be filtered or the notification setting is disabled.

Solution:

  1. Verify "Selected users will receive email notifications" is Yes
  2. Check spam/junk folders for azure-noreply@microsoft.com
  3. Add sender to safe senders list
  4. Verify reviewer email addresses are correct

Issue: Cannot find pending consent requests

Cause: You may not have access or the requests may have expired.

Solution:

  1. Ensure you're a member of the designated reviewer group
  2. Check if requests have expired (default 30 days)
  3. Look in Admin consent requestsExpired tab
  4. Verify you have Application Administrator or Cloud Application Administrator role

Issue: Approved app still not accessible to users

Cause: App may require user assignment.

Solution:

  1. Open the application in Enterprise applications
  2. Go to Properties
  3. Check if Assignment required is Yes
  4. If yes, go to Users and groups and add the requesting user

Issue: Request shows "Could not consent"

Cause: The application may have issues or require additional configuration.

Solution:

  1. Check if the application is properly registered
  2. Verify the requested permissions are valid
  3. Check for any conditional access policies blocking the app
  4. Review audit logs for detailed error messages

Issue: Too many consent requests overwhelming reviewers

Cause: Users may be requesting the same apps repeatedly.

Solution:

  1. Identify frequently requested apps
  2. Consider proactively consenting to common business apps
  3. Create a catalog of pre-approved applications
  4. Publish guidance on approved app alternatives

Issue: Users bypass consent workflow with personal accounts

Cause: Users may use personal Microsoft accounts or third-party auth.

Solution:

  1. Implement Conditional Access to block unmanaged devices
  2. Enable Defender for Cloud Apps to monitor shadow IT
  3. Educate users on approved application channels
  4. Block personal Microsoft account sign-in where possible

Related Resources


Last updated: January 2025