Lab 21: Grant tenant-wide admin consent to an application

Login type = Microsoft 365 admin

Lab scenario

For applications your organization has developed or for those that are registered directly in your Microsoft Entra tenant, you can grant tenant-wide admin consent from App registrations in the Azure portal.

Estimated time: 15 minutes

Exercise 1 - Admin Consent

Task 1 - Grant admin consent in App registrations

Warning - Granting tenant-wide admin consent to an application will grant the app and the app’s publisher access to your organization’s data. Carefully review the permissions the application is requesting before granting consent.

The Global Administrator role is required in order to provide admin consent for application permissions to the Microsoft Graph API.

  1. Sign in to Microsoft Entra admin center at https://entra.microsoft.com as your Global Administrator.

    Note: You may be prompted to complete Multi-Factor Authentication (MFA) during sign-in. Follow the prompts to configure or verify your authentication method before continuing.

  2. In the left navigation menu, go to Entra ID, select App registrations, select All applications tab, then select the Demo app you created in the previous exercise.

  3. On the Demo app page, locate and copy and save each Application (client) ID and Directory (tenant) ID values so that you can use them later.

    Note: Demo app is created in the previous labs. Please complete these labs before this lab.

    Screen image displaying the Demo app page with the directory ID highlighted

  4. In the left navigation, under Manage, select API permissions.

  5. Under Configured permissions, select Grant admin consent.

    Screen image displaying the API permission page with Grant admin consent for Contoso highlighted

  6. Review the dialogue box, and then select Yes.

    Warning - Granting tenant-wide admin consent through App registrations will revoke any permissions that had previously been granted tenant-wide. Permissions previously granted by users on their own behalf will not be affected.

Task 2 - Grant admin consent in Enterprise apps

You can grant tenant-wide admin consent through Enterprise applications if the application has already been provisioned in your tenant.

  1. Browse to Microsoft Entra admin center.

  2. In the left navigation menu, under Entra ID, select Enterprise apps.

  3. From the list of Enterprise applications pick the Demo app that we registered earlier.

  4. On the Demo app page, in the left navigation, under Security, select Permissions.

  5. Under Permissions, select Grant admin consent.

    Screen image displaying the Demo app permissions page with Grant admin consent for Contoso highlighted

    Warning - Granting tenant-wide admin consent through App registrations will revoke any permissions that had previously been granted tenant-wide. Permissions previously granted by users on their own behalf will not be affected.

  6. When prompted, sign in using your Global Administrator account.

  7. In the Permissions requested dialog box, review the information and then select Accept.

Exercise summary

In this exercise, you granted tenant-wide admin consent to an application. This exercise showed how administrators can pre-approve permissions on behalf of all users.