# Consent and Permissions

Applications can ask users for permissions to access their data. For example, for basic sign-in. If allowed, a normal user can grant consent only for "**Low Impact**" permissions. In all other cases, admin consent is required.

<div align="left"><figure><img src="/files/8zNgPonFr46eGpaBveY3" alt="" width="188"><figcaption></figcaption></figure></div>

### Admin consent

The following roles can consent medium- high level impact (whole tenant) permissions:

* Global administrator
* Application administrator
* Cloud application administrator
* Custom role including "permission to grant permission to applications"

### User consent

By default, all users in the tenant can consent to any app to access the organization's data:

<figure><img src="/files/w4plhijxgxkRMImV06yZ" alt=""><figcaption></figcaption></figure>

One very interesting permission is `User.ReadBasic.All` That allows the app to read display name, first and second name, email, open extension and photo for all the users.

{% hint style="info" %}
This is also a recommendation to tenants that have the default option set: Only consent from verified publishers or do not allow users to consent at all
{% endhint %}

### Application Registration and Enterprise application

When we create/register a new application with a secret, redirect uri ETC. It's called a "application" but when a user **consents** to this application, a new "enterprise application" is created automatically with the same name as the application. This is called a **service principal**.

{% hint style="success" %}
A service principal is the part can can be used, role assignment, permissions, etc.
{% endhint %}

Also, conditional access can be implemented on enterprise applications/service principals.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/cloud/azure/architecture/consent-and-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.