In this article you'll learn how to configure permissions classifications in Azure Active Directory (Azure AD). Permission classifications allow you to identify the impact that different permissions have according to your organization's policies and risk evaluations. For example, you can use permission classifications in consent policies to identify the set of permissions that users are allowed to consent to.
Currently, only the "Low impact" permission classification is supported. Only delegated permissions that don't require admin consent can be classified as "Low impact".
The minimum permissions needed to do basic sign in are openid, profile, email, and offline_access, which are all delegated permissions on the Microsoft Graph. With these permissions an app can read details of the signed-in user's profile, and can maintain this access even when the user is no longer using the app.
Prerequisites
To configure permission classifications, you need:
Select Azure Active Directory > Enterprise applications > Consent and permissions > Permission classifications.
Choose Add permissions to classify another permission as "Low impact".
Select the API and then select the delegated permission(s).
In this example, we've classified the minimum set of permission required for single sign-on:
You can use the latest Azure AD PowerShell Preview module, AzureADPreview, to classify permissions. Permission classifications are configured on the ServicePrincipal object of the API that publishes the permissions.
List the current permission classifications for an API
Retrieve the ServicePrincipal object for the API. Here we retrieve the ServicePrincipal object for the Microsoft Graph API:
