-
Notifications
You must be signed in to change notification settings - Fork 5
Azure AD Enterprise Applications
Chad Cox edited this page Apr 6, 2022
·
6 revisions
Click here to open Enterprise App User Settings blade
- Users can add gallery apps to My Apps: No Recommendation
- Users can request admin consent to apps they are unable to consent to: Yes (No for Secure environments)
- Who can review admin consent requests:
- Users
- Groups <-- Recommended
- Roles
App Admin, Cloud App Admin, Global Admin are required for consent. More than likely you will want to create a group of users allowed to consent.
- Selected users will receive email notifications for requests: Yes
- Selected users will receive request expiration reminders: Yes
- Consent request expires after (days): 15
- Users can only see Office 365 apps in the Office 365 portal: No Recommendation
Click here to open the User consent settings blade
- Recommended: Do not allow user consent An administrator will be required for all apps.
- At Minimum: Allow user consent for apps from verified publishers, for selected permissions
- Recommended: Do not allow group owner consent
- Low
OpenID Connect (OIDC) permissions Graph Permission Reference: Click Here
How to grant consent for a Single User instead of the entire org: Grant consent on behalf of a single user by using PowerShell
Configure risk-based step-up consent using PowerShell
- In Powershell using azureadpreview module
$consentSettingsTemplateId = "dffd5d46-495d-40a9-8e21-954ff55e198a" # Consent Policy Settings
$settings = Get-AzureADDirectorySetting -All $true | Where-Object { $_.TemplateId -eq $consentSettingsTemplateId }
if (-not $settings) {
$template = Get-AzureADDirectorySettingTemplate -Id $consentSettingsTemplateId
$settings = $template.CreateDirectorySetting()
}
$riskBasedConsentEnabledValue = $settings.Values | ? { $_.Name -eq "BlockUserConsentForRiskyApps" }