Understanding Application Consent in Microsoft Entra ID
When connecting applications to Microsoft Entra ID, users or administrators must grant permission for those applications to access data. This process is called consent.
Understanding how consent works helps organizations manage application security while allowing tools and integrations to function properly.
This article explains the consent experience, permission flows, and common troubleshooting scenarios in Microsoft Entra ID.
What Is Application Consent?
Consent is the process where a user or administrator authorizes an application to access protected resources on their behalf.
For example, when connecting an application to Microsoft services such as:
Microsoft 365
Outlook
OneDrive
Teams
Azure APIs
The application must request permission before it can access the user’s data.
Consent ensures:
Users understand what data an app can access
Administrators can control access to company resources
Applications follow security and compliance policies
Who Can Grant Consent?
Consent can be granted by either:
👤 A User
Users can grant permission only for their own account, and only if the requested permissions are allowed by company policies.
🛡 An Administrator
Admins can grant permission for the entire organization (tenant).
This allows all users in the company to use the application without approving permissions individually.
Two Types of Consent Flows
Microsoft Entra ID supports two main consent flows.
1️⃣ User Consent Flow
In the user consent flow, the application requests permission directly from the user.
This means:
Consent applies only to the current user
The user must have permission to approve the request
The application cannot access other users’ data
Example:
A user connects a productivity app that needs access to their email or calendar.
2️⃣ Admin Consent Flow
In the admin consent flow, an administrator grants permission for the entire organization.
This is required when:
The app requests sensitive permissions
The organization restricts user consent
The app needs access to tenant-wide data
Once admin consent is granted:
All users can use the application
They won’t see the consent screen again
Access is managed centrally
What Users See in the Consent Prompt
When an application requests access, Microsoft displays a consent prompt so users can review what the application is requesting.
The prompt includes several elements designed to help users decide whether they trust the application.
Key Components of the Consent Prompt
Component | Description |
User identifier | Shows which account the application will access |
Permission title | Indicates the type of consent (user or admin) |
App logo | Visual identifier of the requesting application |
App name | Name of the application requesting access |
Publisher verification | Shows if the developer identity is verified |
Microsoft 365 Certification | Indicates security and compliance validation |
Permissions requested | List of data the application wants to access |
Permission description | Details explaining each permission |
App management link | Allows users to review and remove app access |
Report link | Lets users report suspicious applications |
These details help users make informed security decisions before approving access.
Common Consent Scenarios
Depending on permissions and user roles, different consent experiences may occur.
Scenario 1: User Can Grant Permission
If the application requests permissions that are within the user’s authority, the user can approve access immediately.
Admins will also see an option to grant consent for the entire organization.
Scenario 2: User Cannot Grant Permission
If the application requests admin-restricted permissions, regular users cannot approve the request.
Instead, they will see a message asking them to:
👉 Request approval from an administrator
Some organizations enable an admin approval workflow, allowing users to submit a request directly.
Scenario 3: Admin Consent Required
In some cases, users are directed straight to the admin consent flow.
Only administrators can approve access.
If a non-admin user attempts access, they will be blocked and asked to contact their administrator.
Admin Consent via Microsoft Entra Admin Center
Administrators can also grant consent directly from the Microsoft Entra admin center.
This is done through:
Application Registration → API Permissions → Grant Permissions
When admins grant consent this way:
All users automatically receive access
The consent prompt no longer appears
Permissions are centrally controlled
This is commonly used for enterprise applications and integrations.
Common Consent Issues and How to Fix Them
❌ 403 Error
A 403 error usually means the application does not have the required permissions.
Check:
The user’s role and permissions
Whether the correct API permissions were added
Whether the token includes the required claims
❌ User Cannot Grant Consent
This can happen if:
User consent is disabled by tenant policy
The app requests admin-restricted permissions
Solution:
👉 Ask an administrator to approve the application.
❌ User Still Blocked After Admin Consent
Possible causes:
Static permissions are missing
Dynamic permissions exceed approved scope
The application requires user assignment
Administrators should verify the application configuration and permission scope.
Security Best Practices for Application Consent
Organizations should follow these practices when managing application permissions.
✔ Allow only trusted applications
✔ Use least privilege permissions whenever possible
✔ Require admin approval for sensitive permissions
✔ Regularly review connected applications
✔ Remove unused applications from access lists
Users can review applications with access to their data at:
Final Thoughts
The Microsoft Entra consent experience provides a secure way to manage how applications access organizational data.
By controlling consent policies and understanding permission flows, organizations can:
Protect sensitive data
Maintain compliance
Enable safe integrations with external applications
Proper consent management ensures that applications only access the data they truly need — and nothing more.