How to manage user consent to applications in Microsoft 365?
+
When a Microsoft 365 user signs in to an Azure AD application, the application may request permissions that govern its access to resources. These permission grants fall into two types: user consent and admin consent:
- User consent: OAuth 2.0 permission grant allows an application to access a user’s personal Microsoft 365 data, such as email, files, or calendar entries.
- Admin consent: This OAuth 2.0 permission grant, provided by an administrator, allows an application to access resources on behalf of the entire organization. Unlike user consent, it grants permissions for organizational-level access rather than individual user data.
- Go to Enterprise applications»All applications»Select the Respective application in Entra portal.
- Click on Permissions to see a list of permissions granted for your organization.
- Move to the ellipsis associated with the desired permission and hit Revoke Permission.
While the Entra admin center allows for the revocation of admin grants, it does not provide a method to revoke individual user consents directly from the Azure AD application. To revoke all permissions of a user across all service principals, use the following cmdlet in MS Graph PowerShell, specifying the user's ObjectID.
Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All"
$Id = (Get-MgBetaOauth2PermissionGrant -Filter "principalId eq '<UserObjectID>'").Id
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $Id
Replace <UserObjectID> with the actual object ID of the user.
Note: To prevent illicit grant consent attacks within the Microsoft 365, where a malicious actor creates an Azure-registered application to request permissions, block user consent for applications in Microsoft 365.
AdminDroid has a dedicated report that consolidates all users' application consents into a single view.
- The Consent to Applications Report simplifies tracking consents across your organization by clearly showing both admin and user permissions granted to each application, all consolidated together.
Tip: Since attackers steal the sensitive data using different patterns, you should always ensure to follow the essential steps to configure and manage app permissions in Microsoft 365.