Configure permission classifications

In this article you'll learn how to configure permissions classifications in Azure Active Directory (Azure AD). Permission classifications allow you to identify the impact that different permissions have according to your organization's policies and risk evaluations. For example, you can use permission classifications in consent policies to identify the set of permissions that users are allowed to consent to.

Currently, only the "Low impact" permission classification is supported. Only delegated permissions that don't require admin consent can be classified as "Low impact".

The minimum permissions needed to do basic sign in are openid, profile, email, and offline_access, which are all delegated permissions on the Microsoft Graph. With these permissions an app can read details of the signed-in user's profile, and can maintain this access even when the user is no longer using the app.


To configure permission classifications, you need:

  • An Azure account with an active subscription. Create an account for free.
  • One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Manage permission classifications

Follow these steps to classify permissions using the Azure portal:

  1. Sign in to the Azure portal as a Global Administrator, Application Administrator, or Cloud Application Administrator
  2. Select Azure Active Directory > Enterprise applications > Consent and permissions > Permission classifications.
  3. Choose Add permissions to classify another permission as "Low impact".
  4. Select the API and then select the delegated permission(s).

In this example, we've classified the minimum set of permission required for single sign-on:

Permission classifications

Next steps

To learn more: