grant consent to this Azure Active Direction app in Business Central Sandbox environment

Question

Hi,

I have an Azure Active Directory app on Business Central. On this app is a "Grant Consent" link:

When I click on it, it responds with a "Need admin approval" message. I did some investigation and found that the fix is the following:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal

I'm not a global admin, but I asked someone who is and he had concerns about security. Specifically he said that one of Microsoft's recommendations is that we keep the setting as 'do not allow user consent". He said that if we change the setting, it will decrease the Microsoft Security identity secure score.

I was wondering if there is another way to allow us to Grant Consent, but it doesn't affect our Microsoft Security identity secure score? Thanks!

Sincerely,

Jason

Answer 1

Generally speaking, it's a good idea to restrict consent requests. Blocking them altogether will affect productivity though, so a good middle ground is to configure the "request admin approval" flow as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow

Answer 2

Thanks @Vasil Michev ,

I talked to our networking team as well as the development team and we've set it to "request admin approval". Development wanted to automatically approve, but we explained that it would be a security risk and have set to request as a compromise.

Jason