How To Let Other People Publish To Your Azure App Service

Article
01/twenty/2022
2 minutes to read

In this article, you lot'll larn how to configure the way users consent to applications and how to disable all time to come user consent operations to applications.

Before an application can access your organisation'southward data, a user must grant the application permissions to practice so. Unlike permissions allow different levels of access. By default, all users are immune to consent to applications for permissions that don't require administrator consent. For example, by default, a user can consent to allow an app to access their mailbox but tin can't consent to allow an app unfettered access to read and write to all files in your organization.

Important

To reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, we recommend that you allow user consent only for applications that have been published past a verified publisher.

Prerequisites

To configure user consent, you need:

A user account. If yous don't already have 1, yous tin create an account for free.
A Global Ambassador or Privileged Administrator role.

The Azure portal
PowerShell

To configure user consent settings through the Azure portal, do the following:

Sign in to the Azure portal as a Global Administrator.
Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
Under User consent for applications, select which consent setting y'all desire to configure for all users.
Select Save to save your settings.

Screenshot of the 'User consent settings' pane.

To choose which app consent policy governs user consent for applications, you tin use the latest Azure Advertising PowerShell module.

Notation

The instructions beneath apply the generally bachelor Azure Advertisement PowerShell module (AzureAD). The parameter names are different in the preview version of this module (AzureADPreview). If you lot take both modules installed, ensure you're using the cmdlet from the correct module by first running:

                    Remove-Module AzureADPreview -ErrorAction SilentlyContinue Import-Module AzureAD

To disable user consent, set the consent policies that govern user consent to empty:

                  Set up-AzureADMSAuthorizationPolicy -DefaultUserRolePermissions @{     "PermissionGrantPoliciesAssigned" = @() }

To allow user consent, choose which app consent policy should govern users' dominance to grant consent to apps:

                  Set-AzureADMSAuthorizationPolicy -DefaultUserRolePermissions @{     "PermissionGrantPoliciesAssigned" = @("managePermissionGrantsForSelf.{consent-policy-id}") }

Replace {consent-policy-id} with the ID of the policy you want to apply. You tin cull a custom app consent policy that you've created, or you can cull from the following built-in policies:

ID	Clarification
microsoft-user-default-low	Permit user consent for apps from verified publishers, for selected permissions Let limited user consent but for apps from verified publishers and apps that are registered in your tenant, and only for permissions that you classify as low impact. (Remember to classify permissions to select which permissions users are allowed to consent to.)
microsoft-user-default-legacy	Let user consent for apps This option allows all users to consent to whatever permission that doesn't require admin consent, for whatever application

For instance, to enable user consent field of study to the built-in policy microsoft-user-default-depression, run the following commands:

                  Set-AzureADMSAuthorizationPolicy -DefaultUserRolePermissions @{     "PermissionGrantPoliciesAssigned" = @("managePermissionGrantsForSelf.microsoft-user-default-depression") }

Tip

To permit users to asking an ambassador's review and approval of an application that the user isn't allowed to consent to, enable the admin consent workflow. For example, you lot might do this when user consent has been disabled or when an application is requesting permissions that the user isn't allowed to grant.

Next steps

Manage app consent policies
Configure the admin consent workflow

Feedback

Submit and view feedback for