Consent and Permissions

Applications can ask users for permissions to access their data. For example, for basic sign-in. If allowed, a normal user can grant consent only for "Low Impact" permissions. In all other cases, admin consent is required.

Admin consent

The following roles can consent medium- high level impact (whole tenant) permissions:

  • Global administrator

  • Application administrator

  • Cloud application administrator

  • Custom role including "permission to grant permission to applications"

User consent

By default, all users in the tenant can consent to any app to access the organization's data:

One very interesting permission is User.ReadBasic.All That allows the app to read display name, first and second name, email, open extension and photo for all the users.

This is also a recommendation to tenants that have the default option set: Only consent from verified publishers or do not allow users to consent at all

Application Registration and Enterprise application

When we create/register a new application with a secret, redirect uri ETC. It's called a "application" but when a user consents to this application, a new "enterprise application" is created automatically with the same name as the application. This is called a service principal.

A service principal is the part can can be used, role assignment, permissions, etc.

Also, conditional access can be implemented on enterprise applications/service principals.

PreviousEntra ID - Authentication with OAuth and API'sNextService Discovery, Recon, Enumeration and Initial Access Attacks

Last updated