Granting tenant-wide admin consent is one of the most sensitive operations in Microsoft Entra ID. When an administrator grants tenant-wide consent, the application is allowed to access organizational data on behalf of all users, without requiring each user to individually approve permissions.
From an exam and security perspective, this unit is about understanding who can grant consent, how consent is granted, what actually changes behind the scenes, and why this operation is considered high risk.
What is tenant-wide admin consent
Tenant-wide admin consent allows an administrator to approve the permissions requested by an application for the entire tenant. Once consent is granted:
Users are no longer prompted to approve permissions.
The application can immediately request tokens with the approved scopes.
The permissions apply to all current and future users in the tenant.
⚠️ Security impact: Granting tenant-wide consent also grants the application’s publisher access to organizational data within the bounds of the approved permissions.
Who can grant tenant-wide admin consent
To grant tenant-wide admin consent, the user must be authorized to consent on behalf of the organization.
Global Administrator.
Privileged Role Administrator.
Any custom directory role that includes permission to grant app consent.
If a user does not hold one of these roles, the admin consent operation will fail.
Important warning before granting consent
Warning Granting tenant-wide admin consent is a high-privilege action. Always review the permissions requested by the application carefully. Once consent is granted, the app gains access to organizational data within the scope of those permissions.
This warning is explicitly tested in scenario-based questions.
Grant tenant-wide admin consent via App registrations (Exercise)
For applications developed by your organization or registered directly in your tenant, tenant-wide admin consent can be granted through App registrations.
Step-by-step: Grant admin consent using App registrations
Sign in to the Microsoft Entra admin center using an authorized admin account.
Navigate to Microsoft Entra ID.
Select App registrations.
Select the application named Demo app.
Application (client) ID.
Directory (tenant) ID.
In the left navigation pane, under Manage, select API permissions.
Under Configured permissions, select Grant admin consent.
Review the confirmation dialog carefully.
Select Yes to grant consent.
Critical behavior to understand
Warning Granting tenant-wide admin consent through App registrations revokes any previously granted tenant-wide permissions. Permissions previously granted by users on their own behalf are not affected.
This distinction between tenant-wide consent and user-level consent is frequently tested.
Grant tenant-wide admin consent via Enterprise applications
If the application already has a service principal in the tenant, tenant-wide admin consent can also be granted through Enterprise applications.
Step-by-step: Grant admin consent using Enterprise applications
Sign in to the Microsoft Entra admin center.
Navigate to Microsoft Entra ID.
Select Enterprise applications.
Select Demo app.
In the left navigation, under Security, select Permissions.
Select Grant admin consent.
When prompted, sign in using a Privileged Role Administrator or equivalent role.
Review the Permissions requested dialog.
Select Accept.
Once accepted, tenant-wide admin consent is applied.
Constructing the tenant-wide admin consent URL
In some scenarios, you may want to grant tenant-wide admin consent outside of the Azure portal, such as during onboarding or automated flows.
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
{client-id} is the Application (client) ID.
{tenant-id} is the tenant ID or a verified domain name.
⚠️ Always review permissions before using this method.
Admin-restricted permissions
Some permissions are considered high privilege and are admin-restricted.
User.Read.All.
Directory.ReadWrite.All.
Groups.Read.All.
Consumer users might consent to these permissions.
Organizational users cannot consent to these permissions.
If requested by an organizational user, an error is returned indicating insufficient privileges.
If your application requires admin-restricted permissions, they must be granted using admin consent.
Delegated vs application permissions during admin consent
Understanding how admin consent behaves depends on the permission type.
Delegated permissions
Granted on behalf of all users.
Users will not be prompted again.
App still runs within user context.
Application permissions
Granted directly to the app.
No user context exists.
Used by background services and daemons.
Always require admin consent.
This difference is a core exam concept.
Using the admin consent endpoint
Users do not need to take any additional action.
Apps can acquire tokens using standard flows.
Tokens include the approved permissions.
Requesting application permissions.
Proactively requesting tenant-wide consent.
Requesting admin-restricted scopes.
This is a high-risk operation and should only be used when necessary.
Statically defining permissions in App registrations
Applications can define the permissions they require ahead of time in the App registrations experience.
Use of the /.default scope.
Portal-based admin consent.
Clear visibility into required permissions.
Step-by-step: Define static permissions
Go to App registrations.
Select your application.
Select API permissions.
Select Add a permission.
Choose Microsoft Graph or another API.
Select the required delegated or application permissions.
Save the configuration.
Best practice is to define permissions as a superset of what the app will request dynamically.
Recommended pattern: Sign the admin into your app first
Provide a dedicated connect or setup page.
Sign the admin in before requesting consent.
Identify the tenant before redirecting to admin consent.
This improves usability and reduces errors.
Using permissions after consent
The app can request access tokens.
Tokens are scoped to a single resource.
Each token includes all permissions granted for that resource.
Example admin consent request
GET https://login.microsoftonline.com/{tenant}/v2.0/adminconsent
client_id=00001111-aaaa-2222-bbbb-3333cccc4444
redirect_uri=http://localhost/myapp/permissions
scope=https://graph.microsoft.com/calendars.read https://graph.microsoft.com/mail.send
At this stage, a tenant administrator must sign in to complete the request.
Exam-focused takeaways for Unit 6
Tenant-wide admin consent is global and powerful.
Only specific admin roles can grant consent.
Delegated and application permissions behave differently.
App registrations.
Enterprise applications.
Admin consent endpoint.
Admin-restricted permissions always require admin consent.
Granting tenant-wide consent revokes previous tenant-wide grants.