Share via

Users being prompted for consent on verified apps when they shouldn't be

Sean O'Brien 1 Reputation point
2024-05-24T11:17:56.28+00:00

I recently revoked admin consent for the Enterprise app 'Apple Internet Accounts', which is required to configure Exchange email accounts on iOS natively. The idea was to have all users consent to permissions themselves rather than give the app access to all users mailboxes, whether they are using iOS or not. However, I'm now receiving approvals to consent as admin.

Review consent

This is because one of the permissions is not considered 'low impact': "Access mailboxes as the signed-in user via Exchange Web Services".

apple requested

This is correctly requiring admin consent because of my user consent settings are set to only allow users to consent to verified apps classified as low impact.

Classify Permissions LowConsent and permissions

What's the correct move here? I want any user to be able to consent to this app, but I don't want to change the impact classification for this permission across all apps tenant wide.

Microsoft Exchange Online
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,181 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sean O'Brien 1 Reputation point
    2024-05-24T22:51:38.6433333+00:00

    I could not find a way to make the EAS.AccessAsUser.All permission low impact for just Apple Internet Accounts. So instead, I granted Admin consent for the app (tenant wide).

    This was preferable to adding the required permissions to the low impact classification tenant wide, meaning users would be allowed to add new apps that gave full mailbox access without Admin consent.

    0 comments