How to configure Azure auto-conesent permission with Zoom only?

Question

How to configure Azure auto-conesent permission with Zoom only?

Eaven HUANG 2,191

Dear Experts,

We've configured Azure with Zoom under Enterprise Application section. The issue we are facing is that, everytime a new user tried to log in to their Zoom account, it prompted that they need consent from their admin. (I don't want to enable attached option if it will enable the auto-consent for all apps)

We don't want users to auto consent all the app permissions but only a few that we trusted. I wanted to allow users from a specific group that will be auto-consented with zoom login.
Many thanks for your help!

Eaven HUANG 2,191 Reputation points

2022-12-26T16:09:20.467+00:00

Hi @Shweta Mathur ,

What I don't understand is that - currently our setting is No for Assignment required option - This means all users in our organization are auto admin consent? However currently we are facing the issue that all the requests need to be manually reviewed and approved by admin, that's the annoying part.

1 answer

Your answer

Eaven HUANG 2,191 Reputation points

2022-12-26T16:09:20.467+00:00

Hi @Shweta Mathur ,

What I don't understand is that - currently our setting is No for Assignment required option - This means all users in our organization are auto admin consent? However currently we are facing the issue that all the requests need to be manually reviewed and approved by admin, that's the annoying part.

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Eaven HUANG ,

Thanks for reaching out.

I understand you are looking to allow users for specific group to auto consent the app permissions.
I understand you are looking to restrict the users to access the application which is by default enabled for all the users in the tenant.

You can restrict the user completely to not grant access to the application in Azure AD by checking the "Assignment required" box in your Enterprise application.

You would require either of these, Global administrator, Application administrator, or Cloud application administrator roles to manage the application.

Go to Azure Active Directory -> Enterprise Applications > All applications and select the application you want to configure.

Select Properties and set "Yes" in User Assignment Required field and save the changes.

Also, make sure to assign users and groups which need to grant access to the application.

Under Manage, select the Users and groups > Add user/group.

Select the users or groups you want to allow and assign them access to your application. Confirm that the users and groups you added are showing up in the updated Users and groups list.

Now only the above assigned users or group members are allowed to access the application.

User Consent to application can be achieved by User consent settings in "Consents and Permissions" in the Enterprise application by providing the below option:

Users can consent to applications from verified publishers or your organization, but only for permissions you select- which will allow users can consent only to applications that were published by a verified publisher and applications that are registered in your tenant.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/user-admin-consent-overview#user-consent-settings
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal

Hope this will help.

Thanks,
Shweta

----------------------------------------------

Please remember to "Accept Answer" if answer helped you.

Eaven HUANG 2,191 Reputation points

2022-12-26T15:14:33.61+00:00

Hi @Shweta Mathur ,

I really appreciate your efforts in this guideline.
The objective is to auto consent our users (within one certain AD group) for accessing the enterprise we deployed via Azure. While we will still restrict all the users to access other applications (that are not listed in Enterprise Applications) - this needs admin consent.
For example, we deployed Zoom in Azure, users in that group will be auto-consent, no action required from Azure admin.
If user wants to give access for another application called remotely-save, then they can't auto-consent, they need to request admin consent from admin.

I have one question regarding the zoom setting, it was historical problem that I don't have on-hands document, but currently we have a dozen of Zoom applications configured in Azure. Any idea which properties I need to look into further?
Eaven HUANG 2,191 Reputation points

2022-12-26T15:35:18.183+00:00

Hi @Shweta Mathur ,

Never mind with my question, I've figured out which is the one user requests consent for.
But do we need to make any change on Zoom side?

Thanks again.
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-12-27T06:36:58.757+00:00

Hi @Eaven HUANG ,

Thanks for the update. I am glad you are able to figure out. It will be helpful if you will share the solution with us as well which will other community members looking for similar solution.

AFAIK , there is no setting required from Zoom side to configure consent and permissions of the users.

Thanks,
Shweta
Eaven HUANG 2,191 Reputation points

2022-12-27T06:41:28.927+00:00

Hi @Shweta Mathur ,

Sorry but the issue has not yet solved:(

I've tried it even Grant admin consent for our org in this app Permissions setting, but we still received emails from new users asking for manual consent.
Any idea what I might be missing?
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-12-27T12:15:34.03+00:00

What are the user settings you have in consent and permissions?
How are you providing manual consent?
Eaven HUANG 2,191 Reputation points

2022-12-28T02:59:21.88+00:00

Here it is -
Allow user consent for apps from verified publishers, for selected permissions (Recommended)
Allow group owner consent for all group owners

I'm not really sure what determines "verified publishers"

Share via

How to configure Azure auto-conesent permission with Zoom only?

1 answer

Your answer