This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 28.999999999999996%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
I am developing an application for internal use within my company but to prevent any random employee from accessing it we want to require user assignment. Unfortunately this prevents users from individually consenting to the application, requiring org-wide administrative consent for all API permissions, including the OpenID connect permissions which normally do not require admin consent.
Per the documentation:
When an application requires assignment, user consent for that application isn't allowed. This is true even if users consent for that app would have otherwise been allowed. Be sure to grant tenant-wide admin consent to apps that require assignment.
Although the application only requires the openid, and profile permissions in order to function, our administrators are wary of granting tenant-wide consent for anything as there are potential security implications.
Is there any way to configure our Registered Application, Enterprise Application, or Entra security policies that would allow our users to still grant consent without requiring administrative approval, or is tenant-wide administrative approval mandatory?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Nicholas Hollander Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
The current behavior is a "known limitation", Microsoft is aware of the challenges it poses and is working on addressing it in the future. Until then, admins will have to grant consent, either for the desired users or tenant-wide.