![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 60%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
25,149 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 5%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Is it a case of simply reviewing what the app is requesting, agreeing it looks legitimate and is requesting to access things we would expect an app of that kind would need, before approving it.
See Evaluate a request for tenant-wide admin consent for some suggestions of what to look (and look out) for.
Once approved, does the user get added to the "Users and groups" list of the corresponding Enterprise Application?
No. If you want to assign the app to users or groups, that is currently a separate step you need to take. You also have the option of requiring that only assigned users able to sign in to the app, but this will not be the default for many apps that show up in the admin consent request queue.
We have an application that all users in the organisation are assigned to and can access with Azure SSO. Viewing the "Admin Consent Requests" page I can see a number of people have requested admin consent for this app. Using an account that has never accessed this application before, I managed to sign in using SSO and didn't have to request an admin to allow anything - is there a simple explanation as to why some users seem to be requesting admin access when the majority of users can access said app without doing that?
It is possible (likely) that the application is dynamically requesting additional permissions, in response to users' actions within the application. (Similar to how a mobile apps might request permission to access files on the device only once you try to use the feature of the app that requires that.) If this is the case, the admin consent request the user made will have captured the specific permissions being requested at that point in time. Granting admin consent from the pending request list ensures these dynamically requested permissions are also taken into account.
We have receieved a request to grant admin permissions for an enterprise app which has the same name as one that already exists, however the application ID is different to the existing app. Is this a different instance of the app? (Trello is the app in question)
It's impossible to say for certain based only on the display name. In general, app publishers can input any display name for their app. You should be on the lookout for malicious apps which claim they are a well-known app, but are in fact only trying to get users (or worse, administrators) to grant their app access to your organization's data. See Protecting against consent phishing. One thing in particular you should be looking for is that the publisher of the application really is who they claim they are—publisher verification can help with this.
When in doubt, do not grant admin consent, and reach out to the requesting user and/or the app publisher to get more details. Better to be safe than sorry!