APP-04: Enable Admin Consent Workflow
Overview
The admin consent workflow allows users to request access to applications that require administrator approval, rather than being blocked entirely or granted access without oversight. This creates a balance between user productivity and security governance. This guide walks you through configuring and managing the admin consent workflow in Microsoft Entra ID.
TrueConfig: TrueConfig can auto-configure the admin consent workflow settings with one click, enabling the workflow and applying the recommended configuration automatically.
Prerequisites
Required Roles
- Global Administrator - Full access to configure consent settings
- Cloud Application Administrator - Can configure consent settings and approve requests
- Application Administrator - Can configure consent settings and approve requests
Required Licenses
- Microsoft Entra ID (any tier)
Time Estimate
- Initial Configuration: 20-30 minutes
- Reviewer Setup: 10-15 minutes
- Policy Documentation: 30 minutes
Step-by-Step Instructions
Step 1: Understand Current Consent Settings
Before configuring the workflow, review your current consent posture:
- Navigate to Microsoft Entra admin center (https://entra.microsoft.com)
- Go to Identity → Applications → Enterprise applications
- Click Consent and permissions in the left menu
- Select User consent settings
Review the current settings:
- User consent for applications: Controls whether users can consent to apps
- Group owner consent: Controls consent for apps accessing group data
- Risk-based step-up consent: Blocks risky consent requests
Step 2: Configure User Consent Settings
Recommended Configuration
-
In User consent settings, configure:
User consent for applications:
- Select Allow user consent for apps from verified publishers, for selected permissions
- This allows low-risk consent while requiring admin approval for sensitive permissions
-
Click Save
Alternative Configurations
| Setting | Use Case | Security Level |
|---|---|---|
| Do not allow user consent | High-security environments | Highest |
| Allow for verified publishers + selected permissions | Balanced approach | Recommended |
| Allow for verified publishers | Trust verified apps | Medium |
| Allow user consent for all apps | Development/testing only | Lowest |
Step 3: Define Low-Risk Permission Classifications
Specify which permissions users can consent to without admin approval:
-
In Consent and permissions, click Permission classifications
-
Click + Add permissions
-
Select Microsoft Graph as the API
-
Add these low-risk permissions to the "Low" classification:
openid- Sign inprofile- View basic profileemail- View email addressUser.Read- Read user profileoffline_access- Maintain access
-
Click Add selected permissions
Low-Risk Permissions to Consider
# Authentication
openid
profile
email
offline_access
# Basic user data
User.Read
User.ReadBasic.All
# Calendar (read-only)
Calendars.Read
Calendars.Read.Shared
# Presence
Presence.Read
Presence.Read.All
Step 4: Enable Admin Consent Workflow
-
Navigate to Consent and permissions → Admin consent settings
-
Set Users can request admin consent to apps they are unable to consent to to Yes
-
Configure the workflow settings:
Select users to review admin consent requests:
- Click + Add users or + Add groups
- Add your designated consent reviewers (e.g., "IT Security Team")
- Recommended: Add 2-3 reviewers to ensure coverage
Selected users will receive email notifications for requests:
- Set to Yes
Selected users will receive request expiration reminders:
- Set to Yes
Consent request expires after (days):
- Set to 30 (adjust based on your SLA)
-
Click Save
Step 5: Set Up Consent Request Reviewers
Designate Primary Reviewers
Select individuals or groups with:
- Understanding of application security
- Authority to approve business applications
- Availability to respond within SLA
Recommended Reviewer Structure
| Role | Responsibility |
|---|---|
| IT Security Analyst | Evaluate permission risk |
| Application Manager | Assess business need |
| Cloud Administrator | Technical approval |
Create a Reviewer Security Group
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Group.ReadWrite.All"
# Create security group for consent reviewers
$group = New-MgGroup -DisplayName "Consent Request Reviewers" `
-Description "Members can review and approve admin consent requests" `
-SecurityEnabled:$true `
-MailEnabled:$false `
-MailNickname "consent-reviewers"
Write-Host "Created group: $($group.Id)"
# Add members
$reviewerIds = @("user1-id", "user2-id", "user3-id")
foreach ($userId in $reviewerIds) {
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $userId
}
Step 6: Configure Notification Settings
Custom Email Notifications
- In Admin consent settings, reviewers receive automatic notifications
- Configure your email system to not filter these as spam:
- Sender:
azure-noreply@microsoft.com - Subject contains: "Admin consent request"
- Sender:
Set Up Additional Alerts (Optional)
Create an Azure Logic App or Power Automate flow to:
- Send Teams notifications for new requests
- Create tickets in your ITSM system
- Escalate overdue requests
Step 7: Document Your Consent Policy
Create a policy document covering:
Consent Request Process
- User attempts to access an application
- If admin consent required, user clicks "Request approval"
- User provides business justification
- Request submitted to reviewers via email
- Reviewers evaluate the request within SLA
- Request approved or denied with explanation
Evaluation Criteria for Reviewers
| Criterion | Approve If... | Deny If... |
|---|---|---|
| Publisher | Verified Microsoft partner | Unknown/unverified |
| Permissions | Read-only, limited scope | Write access, .All scope |
| Business need | Clear, documented need | No justification provided |
| Alternatives | No safer alternative exists | Less privileged option available |
| Compliance | Meets regulatory requirements | Violates data policies |
SLA Guidelines
- Initial response: 1 business day
- Final decision: 5 business days
- Escalation: After 3 business days without response
Step 8: Review and Process Consent Requests
Accessing Pending Requests
- Navigate to Entra admin center → Identity → Applications
- Click Enterprise applications
- In the left menu, click Admin consent requests
- View pending requests
Evaluating a Request
For each request, review:
- Requester: Who made the request? Is this a legitimate user?
- Application: What app is requesting access?
- Publisher: Is the publisher verified?
- Permissions: What access is being requested?
- Justification: Why does the user need this app?
Approving a Request
- Click on the request to open details
- Click Review permissions and consent
- Review the permissions one more time
- If approved:
- Select Accept to grant admin consent
- The user will be notified via email
- The app becomes available to all users (or you can restrict via assignment)
Denying a Request
- Click on the request
- Click Deny
- Provide a reason (visible to the requester)
- Suggest alternatives if available
Verification Checklist
After configuring the admin consent workflow:
- User consent settings are configured appropriately
- Low-risk permissions are classified
- Admin consent workflow is enabled
- At least 2 reviewers are assigned
- Email notifications are enabled and tested
- Request expiration is set (30 days recommended)
- Consent policy is documented and published
- Reviewers understand the evaluation criteria
- Test request submitted and processed successfully
- Escalation process is defined
Troubleshooting
Issue: Users don't see the "Request admin consent" option
Cause: The admin consent workflow is not enabled or the app doesn't support it.
Solution:
- Verify Admin consent settings → "Users can request admin consent" is Yes
- Some legacy apps may not support the consent flow
- Clear browser cache and retry
- Ensure the user is not a guest account
Issue: Reviewers not receiving email notifications
Cause: Emails may be filtered or the notification setting is disabled.
Solution:
- Verify "Selected users will receive email notifications" is Yes
- Check spam/junk folders for
azure-noreply@microsoft.com - Add sender to safe senders list
- Verify reviewer email addresses are correct
Issue: Cannot find pending consent requests
Cause: You may not have access or the requests may have expired.
Solution:
- Ensure you're a member of the designated reviewer group
- Check if requests have expired (default 30 days)
- Look in Admin consent requests → Expired tab
- Verify you have Application Administrator or Cloud Application Administrator role
Issue: Approved app still not accessible to users
Cause: App may require user assignment.
Solution:
- Open the application in Enterprise applications
- Go to Properties
- Check if Assignment required is Yes
- If yes, go to Users and groups and add the requesting user
Issue: Request shows "Could not consent"
Cause: The application may have issues or require additional configuration.
Solution:
- Check if the application is properly registered
- Verify the requested permissions are valid
- Check for any conditional access policies blocking the app
- Review audit logs for detailed error messages
Issue: Too many consent requests overwhelming reviewers
Cause: Users may be requesting the same apps repeatedly.
Solution:
- Identify frequently requested apps
- Consider proactively consenting to common business apps
- Create a catalog of pre-approved applications
- Publish guidance on approved app alternatives
Issue: Users bypass consent workflow with personal accounts
Cause: Users may use personal Microsoft accounts or third-party auth.
Solution:
- Implement Conditional Access to block unmanaged devices
- Enable Defender for Cloud Apps to monitor shadow IT
- Educate users on approved application channels
- Block personal Microsoft account sign-in where possible
Related Resources
- Configure admin consent workflow
- Configure user consent settings
- Permission classifications
- Review admin consent requests
Last updated: January 2025