User and Admin Consent Configuration – SC-300 Exam Guide
Why Is User and Admin Consent Configuration Important?
In Microsoft Entra ID (Azure AD), applications often request permissions to access organizational data such as user profiles, emails, calendars, and more. Without proper consent controls, users might inadvertently grant malicious or overly permissive applications access to sensitive corporate data. User and admin consent configuration is a critical security control that determines who can approve application permission requests and under what conditions. Misconfigured consent settings are one of the most common vectors for illicit consent grant attacks, making this topic essential for identity administrators and a key area tested on the SC-300 exam.
What Is User and Admin Consent Configuration?
Consent configuration in Microsoft Entra ID governs how applications are granted permissions to access resources on behalf of users or the organization. There are two primary types of consent:
1. User Consent
User consent allows individual users to grant permissions to applications on their own behalf. For example, a user might consent to allow a third-party app to read their profile information. The scope of user consent can be configured with these options:
- Do not allow user consent: Users cannot grant any permissions to applications. All consent requests must go through an admin.
- Allow user consent for apps from verified publishers, for selected permissions: Users can only consent to apps published by verified publishers and only for permissions classified as "low impact" (permissions you define in a permission classification policy).
- Allow user consent for all apps: Users can consent to any application requesting any delegated permission. This is the least secure option and is generally not recommended.
2. Admin Consent
Admin consent is required when an application requests high-privilege permissions (such as application permissions or certain delegated permissions) or when user consent has been restricted. Admin consent is granted on behalf of the entire organization. Key concepts include:
- Admin Consent Workflow: When enabled, users who cannot consent themselves can request admin approval. Designated reviewers receive notifications and can approve or deny the request from the Microsoft Entra admin center.
- Tenant-wide admin consent: A Global Administrator, Cloud Application Administrator, or Application Administrator can grant consent on behalf of all users in the tenant.
- Application permissions vs. Delegated permissions: Application permissions (app-only access) almost always require admin consent. Delegated permissions may or may not require admin consent depending on their classification.
How Does It Work?
Step 1 – Configure User Consent Settings
Navigate to Microsoft Entra admin center → Identity → Applications → Enterprise applications → Consent and permissions → User consent settings. Here you select one of the three user consent options described above.
Step 2 – Configure Permission Classifications
If you chose to allow user consent for verified publishers with selected permissions, you must define which permissions are considered "low impact." Go to Consent and permissions → Permission classifications and add the specific delegated permissions you want users to be able to consent to on their own (e.g., openid, profile, email, User.Read, offline_access).
Step 3 – Enable the Admin Consent Workflow
Navigate to Enterprise applications → Consent and permissions → Admin consent settings. Enable the admin consent workflow by setting Users can request admin consent to apps they are unable to consent to to Yes. Then configure:
- Reviewers: Select specific users, groups, or roles who will review consent requests (e.g., Global Administrators or Cloud Application Administrators).
- Email notifications: Enable notifications so reviewers are alerted when new requests arrive.
- Reminder notifications: Enable reminders for pending requests.
- Consent request expiration: Set how long a request remains valid before it expires (in days).
Step 4 – Reviewing and Granting Admin Consent
When a user requests consent, the designated reviewers can go to Enterprise applications → Admin consent requests to review the request. They can see the permissions requested, the publisher verification status, and then approve or deny the request. Approving grants tenant-wide consent for the requested permissions.
Step 5 – Granting Tenant-Wide Admin Consent Directly
Admins can also proactively grant consent for an application by navigating to Enterprise applications → [Select the app] → Permissions → Grant admin consent for [tenant name]. This is useful when deploying line-of-business apps across the organization.
Key Concepts to Remember
- Verified Publishers: Microsoft's verified publisher program confirms the identity of the app publisher. Restricting user consent to verified publishers significantly reduces the risk of illicit consent grant attacks.
- Permission Classifications: Only delegated permissions can be classified. Application permissions always require admin consent.
- Illicit Consent Grant Attack: An attack where a malicious app tricks users into granting it broad permissions. Restricting user consent is the primary defense.
- Service Principals: When consent is granted to an application, a service principal is created (or updated) in the tenant representing that app's identity and its permissions.
- Conditional Access and Consent: You cannot directly apply Conditional Access to the consent process itself, but you can control access to the applications after consent is granted.
- Roles Required: To configure consent settings, you need Global Administrator or Privileged Role Administrator. To grant admin consent, you need Global Administrator, Cloud Application Administrator, or Application Administrator (though Application Administrator cannot consent to permissions requiring Global Admin, such as some Microsoft Graph application permissions).
Exam Tips: Answering Questions on User and Admin Consent Configuration
1. Know the three user consent options: Exam questions frequently present scenarios where you must choose the correct consent setting to balance security and usability. If the question emphasizes security, "Do not allow user consent" or "Allow for verified publishers only" are likely correct. If the question emphasizes user productivity with acceptable risk, verified publishers with selected permissions is the balanced choice.
2. Understand permission classifications: If a question mentions allowing users to consent only to specific low-risk permissions, the answer involves configuring permission classifications under Consent and permissions.
3. Admin consent workflow is key: Many questions test whether you know how to enable and configure the admin consent workflow. Remember that you must specify reviewers and that users see a message directing them to request approval when they cannot consent themselves.
4. Distinguish delegated vs. application permissions: Application permissions always require admin consent. Delegated permissions may or may not, depending on the permission and tenant configuration. This distinction appears frequently on the exam.
5. Verified publisher status matters: If a question asks about reducing the risk of illicit consent grants while still allowing some user self-service, the answer is to restrict consent to verified publishers with permission classifications.
6. Know which roles can do what: Global Administrator can do everything. Cloud Application Administrator and Application Administrator can grant admin consent but cannot modify tenant-wide consent settings (that requires Global Admin or Privileged Role Administrator). Questions may test role-based access for consent scenarios.
7. Watch for "least privilege" questions: The exam loves least-privilege scenarios. If asked which role should grant admin consent, prefer Cloud Application Administrator over Global Administrator when either would work.
8. Remember the admin center navigation path: Questions may describe a scenario and ask where to configure the setting. Remember: Enterprise applications → Consent and permissions is the central location for all consent configuration.
9. Scenario-based questions: You may see scenarios like "Users report they cannot sign in to a third-party app" — the likely cause is that user consent is disabled and admin consent has not been granted. The solution is either to grant admin consent or enable the admin consent workflow.
10. Group consent and Teams apps: Be aware that group owner consent (allowing group owners to consent to apps accessing group data) is a separate setting. If a question involves Teams or group-based apps, this setting may be relevant.
By mastering these concepts, you will be well-prepared to handle any SC-300 exam question related to user and admin consent configuration. Focus on understanding when each type of consent is needed, how to configure the settings, and which roles are required to perform each action.
