Lab 21: Grant tenant-wide admin consent to an application

Login type = Microsoft 365 admin

Lab scenario

For applications your organization has developed or for those that are registered directly in your Microsoft Entra tenant, you can grant tenant-wide admin consent from App registrations in the Azure portal.

Estimated time: 15 minutes

Warning - Granting tenant-wide admin consent to an application will grant the app and the app’s publisher access to your organization’s data. Carefully review the permissions the application is requesting before granting consent.

The Global Administrator role is required in order to provide admin consent for application permissions to the Microsoft Graph API.

  1. In a previous exercise, you created an app named Demo app. If necessary, in Microsoft Entra admin center, browse to Identity, Applications, then select App registrations, and then select Demo app.

  2. On the Demo app page, locate and copy and save each Application (client) ID and Directory (tenant) ID values so that you can use them later.

    Note - Demo app is created in the previous labs. Please complete these labs before this lab.

    Screen image displaying the Demo app page with the directory ID highlighted

  3. In the left navigation, under Manage, select API permissions.

  4. Under Configured permissions, select Grant admin consent.

    Screen image displaying the API permission page with Grant admin consent for Contoso highlighted

  5. Review the dialogue box, and then select Yes.

    Warning - Granting tenant-wide admin consent through App registrations will revoke any permissions that had previously been granted tenant-wide. Permissions previously granted by users on their own behalf will not be affected.

You can grant tenant-wide admin consent through Enterprise applications if the application has already been provisioned in your tenant.

  1. In Microsoft Entra admin center, browse to Identity and Applications.

  2. From the menu open Enterprise applications.

  3. From the list of Enterprise applications pick the Demo app that we registered earlier.

  4. On the Demo app page, in the left navigation, under Security, select Permissions.

  5. Under Permissions, select Grant admin consent.

    Screen image displaying the Demo app permissions page with Grant admin consent for Contoso highlighted

    Warning - Granting tenant-wide admin consent through App registrations will revoke any permissions that had previously been granted tenant-wide. Permissions previously granted by users on their own behalf will not be affected.

  6. When prompted, sign in using your Global Administrator account.

  7. In the Permissions requested dialog box, review the information and then select Accept.