The admin consent workflow in Azure Active Directory allows you to review and control what apps your employees are accessing with their work identity. It allows you to block access to apps completely or until you have reviewed the requirement and risk which gives you the opportunity to make an informed decision before allowing the use of these apps.
Note: If you aren’t yet familiar with Azure Admin Consent, check out our article here.
Here are the top top 5 tips we recommend you should be doing to ensure your Azure Admin Consent is successfully implemented:
1. Removing Consent
After approval or prior to enabling the consent process
-
Navigate to AAD, Enterprise Applications locate and open the application
-
Click on Permissions under Security
-
Click Review Permissions
-
Select an option and copy the PowerShell content, make sure you understand the script before processing the request.
“This application is malicious and I’m compromised” will generate 3 scripts allowing you to remove all users from an application, remove admin consent and revoke refresh tokens.
2. Which user(s) have consented to an application?
-
Navigate to AAD, Enterprise Applications locate and open the application
-
Click on Permissions under Security
-
Click User Consent
-
Next to each permission, click the blue “x total user(s)” button to see a list of users.
3. What permission does the application have?
-
Navigate to AAD, Enterprise Applications locate and open the application
-
Click on Permissions under Security
-
Check both Admin Consent and User Consent for a list of permissions
4. Can I limit sign-ins to Users and Groups?
Yes – Since admin consent enables access for all users it is important to understand who you want to allow access to applications.
-
Navigate to Azure Active Directory > All Applications Search for and select the target application
-
Navigate to Users and Groups, Add the Groups and Users you want to allow access to the application
-
Navigate to Properties
-
Change “User assignment required?” to Yes
-
Click Save
5. What about LinkedIn?
Setting “Users can consent to apps accessing company data on their behalf” to No does not prevent users logging into LinkedIn using their work account, this can be managed from; Azure Active Directory > User Settings > LinkedIn account connections
Keep in mind some Microsoft resources are also made available via LinkedIn
Need help?
Mobile Mentor has a team of certified and experience Microsoft engineers who can help you set up Azure Admin Consent workflow for your business. Feel free to contact us.