# Consent and Permissions Applications can ask users for permissions to access their data. For example, for basic sign-in. If allowed, a normal user can grant consent only for "**Low Impact**" permissions. In all other cases, admin consent is required.

### Admin consent The following roles can consent medium- high level impact (whole tenant) permissions: * Global administrator * Application administrator * Cloud application administrator * Custom role including "permission to grant permission to applications" ### User consent By default, all users in the tenant can consent to any app to access the organization's data:

One very interesting permission is `User.ReadBasic.All` That allows the app to read display name, first and second name, email, open extension and photo for all the users. {% hint style="info" %} This is also a recommendation to tenants that have the default option set: Only consent from verified publishers or do not allow users to consent at all {% endhint %} ### Application Registration and Enterprise application When we create/register a new application with a secret, redirect uri ETC. It's called a "application" but when a user **consents** to this application, a new "enterprise application" is created automatically with the same name as the application. This is called a **service principal**. {% hint style="success" %} A service principal is the part can can be used, role assignment, permissions, etc. {% endhint %} Also, conditional access can be implemented on enterprise applications/service principals.