Configure group and team owner consent to applications
In this article, you'll learn how to configure the way group and team owners consent to applications and how to disable all future group and team owners' consent operations to applications.
Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. For example, a team owner in Microsoft Teams can allow an app to read all Teams messages in the team, or list the basic profile of a group's members. See Resource-specific consent in Microsoft Teams to learn more.
Group owner consent can be managed in two separate ways: through Microsoft Entra admin center and creation of app consent policies. In the Microsoft Entra admin center, you can enable all groups owner, enable selected group owner, or disable group owners' ability to give consent to applications. On the other hand, app consent policies enable you to specify which app consent policy governs the group owner consent for applications. You then have the flexibility to assign either a Microsoft built-in policy or create your own custom policy to effectively manage the consent process for group owners.
Before creating the app consent policy to manage your group owner consent, you need to disable the group owner consent setting through the Microsoft Entra admin center. Disabling this setting allows for group owner consent subject to app consent policies. You can learn how to disable the group owner consent setting in various ways in this article. Learn more about managing group owner consent by app consent policies tailored to your needs.
Prerequisites
To configure group and team owner consent, you need:
- A user account. If you don't already have one, you can create an account for free.
- A Global Administrator role.
Manage group owner consent to apps using Microsoft Entra admin center
You can configure which users are allowed to consent to apps accessing their groups' or teams' data, or you can disable the setting for all users.
Tip
Steps in this article might vary slightly based on the portal you start from.
To configure group and team owner consent settings through the Microsoft Entra admin center:
Follow these steps to manage group owner consent to apps accessing group data:
- Sign in to the Microsoft Entra admin center as a Global Administrator.
- Browse to Identity > Applications > Enterprise applications > Consent and permissions > User consent settings.
- Under Group owner consent for apps accessing data select the option you'd like to enable.
- Select Save to save your settings.
In this example, all group owners are allowed to consent to apps accessing their groups' data:
You can use the Microsoft Graph PowerShell module to enable or disable group owners' ability to consent to applications accessing your organization's data for the groups they own. The cmdlets in this section are part of the Microsoft.Graph.Identity.SignIns module.
Connect to Microsoft Graph PowerShell and sign in as a global administrator. For reading the current user consent settings, use Policy.Read.All permission. For reading and changing the user consent settings, use Policy.ReadWrite.Authorization permission.
Change the profile to beta by using the
Select-MgProfilecommand.Select-MgProfile -Name "beta"Use the least-privilege permission
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" # If you need to create a new setting based on the templates, please use this permission Connect-MgGraph -Scopes "Directory.ReadWrite.All"
Retrieve the current setting using Microsoft Graph PowerShell
Retrieve the current value for the Consent Policy Settings directory settings in your tenant. This requires checking if the directory settings for this feature have been created, and if not, using the values from the corresponding directory settings template.
$consentSettingsTemplateId = "dffd5d46-495d-40a9-8e21-954ff55e198a" # Consent Policy Settings
$settings = Get-MgDirectorySetting | ?{ $_.TemplateId -eq $consentSettingsTemplateId }
if (-not $settings) {
$template = Get-MgDirectorySettingTemplate -DirectorySettingTemplateId $consentSettingsTemplateId
$body = @{
"templateId" = $template.Id
"values" = @(
@{
"name" = "EnableGroupSpecificConsent"
"value" = $true
},
@{
"name" = "BlockUserConsentForRiskyApps"
"value" = $true
},
@{
"name" = "EnableAdminConsentRequests"
"value" = $true
},
@{
"name" = "ConstrainGroupSpecificConsentToMembersOfGroupId"
"value" = ""
}
)
}
$settings = New-MgDirectorySetting -BodyParameter $body
}
$enabledValue = $settings.Values | ? { $_.Name -eq "EnableGroupSpecificConsent" }
$limitedToValue = $settings.Values | ? { $_.Name -eq "ConstrainGroupSpecificConsentToMembersOfGroupId" }
Understand the setting values in Microsoft Graph PowerShell
There are two settings values that define which users would be able to allow an app to access their group's data:
| Setting | Type | Description |
|---|---|---|
| EnableGroupSpecificConsent | Boolean | Flag indicating if groups owners are allowed to grant group-specific permissions. |
| ConstrainGroupSpecificConsentToMembersOfGroupId | Guid | If EnableGroupSpecificConsent is set to "True" and this value set to a group's object ID, members of the identified group will be authorized to grant group-specific permissions to the groups they own. |
Update settings values for the desired configuration using Microsoft Graph PowerShell
# Disable group-specific consent entirely
$enabledValue.Value = "false"
$limitedToValue.Value = ""
# Enable group-specific consent for all users
$enabledValue.Value = "true"
$limitedToValue.Value = ""
# Enable group-specific consent for users in a given group
$enabledValue.Value = "true"
$limitedToValue.Value = "{group-object-id}"
Save your settings using Microsoft Graph PowerShell
```powershell
# Update an existing directory settings
Update-MgDirectorySetting -DirectorySettingId $settings.Id -Values $settings.Values
To manage group and team owner consent settings through directory setting using Graph Explorer:
You need to sign in as a global administrator. For reading the current user consent settings, consent to Policy.Read.All permission. For reading and changing the user consent settings, consent to Policy.ReadWrite.Authorization permission.
Retrieve the current setting using Microsoft Graph API
Retrieve the current value for the Consent Policy Settings from Microsoft Entra admin center in your tenant. This requires checking if the directory settings for this feature have been created, and if not, using the second Microsoft Graph call to create the corresponding directory settings.
GET https://graph.microsoft.com/beta/settings
Response
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#settings",
"value": [
{
"id": "{ directorySettingId }",
"displayName": "Consent Policy Settings",
"templateId": "dffd5d46-495d-40a9-8e21-954ff55e198a",
"values": [
{
"name": "EnableGroupSpecificConsent",
"value": "true"
},
{
"name": "BlockUserConsentForRiskyApps",
"value": "true"
},
{
"name": "EnableAdminConsentRequests",
"value": "true"
},
{
"name": "ConstrainGroupSpecificConsentToMembersOfGroupId",
"value": ""
}
]
}
]
}
create the corresponding directory settings if the value is empty (see below as an example).
GET https://graph.microsoft.com/beta/settings
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#settings",
"value": []
}
POST https://graph.microsoft.com/beta/settings
{
"templateId": "dffd5d46-495d-40a9-8e21-954ff55e198a",
"values": [
{
"name": "EnableGroupSpecificConsent",
"value": "true"
},
{
"name": "BlockUserConsentForRiskyApps",
"value": "true"
},
{
"name": "EnableAdminConsentRequests",
"value": "true"
},
{
"name": "ConstrainGroupSpecificConsentToMembersOfGroupId",
"value": ""
}
]
}
Understand the setting values in Microsoft Graph API
There are two settings values that define which users would be able to allow an app to access their group's data:
| Setting | Type | Description |
|---|---|---|
| EnableGroupSpecificConsent | Boolean | Flag indicating if groups owners are allowed to grant group-specific permissions. |
| ConstrainGroupSpecificConsentToMembersOfGroupId | Guid | If EnableGroupSpecificConsent is set to "True" and this value set to a group's object ID, members of the identified group will be authorized to grant group-specific permissions to the groups they own. |
Update settings values for the desired configuration using Microsoft Graph API
Replace {directorySettingId} with the actual ID in the value collection when retrieving the current setting
Disable group-specific consent entirely
PATCH https://graph.microsoft.com/beta/settings/{directorySettingId}
{
"values": [
{
"name": "EnableGroupSpecificConsent",
"value": "false"
},
{
"name": "BlockUserConsentForRiskyApps",
"value": "true"
},
{
"name": "EnableAdminConsentRequests",
"value": "true"
},
{
"name": "ConstrainGroupSpecificConsentToMembersOfGroupId",
"value": ""
}
]
}
Enable group-specific consent for all users
PATCH https://graph.microsoft.com/beta/settings/{directorySettingId}
{
"values": [
{
"name": "EnableGroupSpecificConsent",
"value": "true"
},
{
"name": "BlockUserConsentForRiskyApps",
"value": "true"
},
{
"name": "EnableAdminConsentRequests",
"value": "true"
},
{
"name": "ConstrainGroupSpecificConsentToMembersOfGroupId",
"value": ""
}
]
}
Enable group-specific consent for users in a given group
PATCH https://graph.microsoft.com/beta/settings/{directorySettingId}
{
"values": [
{
"name": "EnableGroupSpecificConsent",
"value": "true"
},
{
"name": "BlockUserConsentForRiskyApps",
"value": "true"
},
{
"name": "EnableAdminConsentRequests",
"value": "true"
},
{
"name": "ConstrainGroupSpecificConsentToMembersOfGroupId",
"value": "{group-object-id}"
}
]
}
Note
User can consent to apps accessing company data on their behalf setting, when turned off, doesn't disable the Users can consent to apps accessing company data for groups they own option.
Manage group owner consent to apps by app consent policy
You can configure which users are allowed to consent to apps accessing their groups' or teams' data through app consent policies. To allow group owner consent subject to app consent policies, the group owner consent setting must be disabled. Once disabled, your current policy is read from app consent policies.
To choose which app consent policy governs user consent for applications, you can use the Microsoft Graph PowerShell module. The cmdlets used here are included in the Microsoft.Graph.Identity.SignIns module.
Connect to Microsoft Graph PowerShell using the least-privilege permission needed. For reading the current user consent settings, use Policy.Read.All. For reading and changing the user consent settings, use Policy.ReadWrite.Authorization. You need to sign in as a global administrator
# change the profile to beta by using the `Select-MgProfile` command
Select-MgProfile -Name "beta".
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
Disable group owner consent to use app consent policies using Microsoft Graph PowerShell
Check if the
ManagePermissionGrantPoliciesForOwnedResourceis scoped ingroup.Retrieve the current value for the group owner consent setting.
Get-MgPolicyAuthorizationPolicy | select -ExpandProperty DefaultUserRolePermissions | ft PermissionGrantPoliciesAssigned
If
ManagePermissionGrantPoliciesForOwnedResourceis returned inPermissionGrantPoliciesAssigned, your group owner consent setting might have been governed by the app consent policy.Check if the policy is scoped to
group.Get-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId {"microsoft-all-application-permissions-for-group"} | ft AdditionalPropertiesIf
resourceScopeType==group, your group owner consent setting has been governed by the app consent policy.
To disable group owner consent to utilize app consent policies, ensure that the consent policies (
PermissionGrantPoliciesAssigned) include the currentManagePermissionGrantsForSelf.*policy and other currentManagePermissionGrantsForOwnedResource.*policies if any that aren't applicable to groups while updating the collection. This way, you can maintain your current configuration for user consent settings and other resource consent settings.# only exclude policies that are scoped in group $body = @{ "permissionGrantPolicyIdsAssignedToDefaultUserRole" = @( "managePermissionGrantsForSelf.{current-policy-for-user-consent}", "managePermissionGrantsForOwnedResource.{other-policies-that-are-not-applicable-to-groups}" ) } Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -BodyParameter $body
Assign an app consent policy to group owners using Microsoft Graph PowerShell
To allow group owner consent subject to an app consent policy, choose which app consent policy should govern group owners' authorization to grant consent to apps. Ensure that the consent policies (PermissionGrantPoliciesAssigned) include the current ManagePermissionGrantsForSelf.* policy and other ManagePermissionGrantsForOwnedResource.* policies if any while updating the collection. This way, you can maintain your current configuration for user consent settings and other resource consent settings.
$body = @{
"permissionGrantPolicyIdsAssignedToDefaultUserRole" = @(
"managePermissionGrantsForSelf.{current-policy-for-user-consent}",
"managePermissionGrantsForOwnedResource.{other-policies-that-are-not-applicable-to-groups}",
"managePermissionGrantsForOwnedResource.{app-consent-policy-id-for-group}" #new app consent policy for groups
)
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -BodyParameter $body
Replace {app-consent-policy-id-for-group} with the ID of the policy you want to apply. You can choose a custom app consent policy that you've created, or you can choose from the following built-in policies:
| ID | Description |
|---|---|
| microsoft-pre-approval-apps-for-group | Allow group owner consent to pre-approved apps only Allow group owners consent only for apps preapproved by admins for the groups they own. |
| microsoft-all-application-permissions-for-group | Allow group owner consent to apps This option allows all group owners to consent to any permission that doesn't require admin consent, for any application, for the groups they own. It includes apps that have been preapproved by permission grant preapproval policy for group resource-specific-consent. |
For example, to enable group owner consent subject to the built-in policy microsoft-all-application-permissions-for-group, run the following commands:
$body = @{
"permissionGrantPolicyIdsAssignedToDefaultUserRole" = @(
"managePermissionGrantsForSelf.{current-policy-for-user-consent}",
"managePermissionGrantsForOwnedResource.{all-policies-that-are-not-applicable-to-groups}",
"managePermissionGrantsForOwnedResource.{microsoft-all-application-permissions-for-group}" # policy that is be scoped to group
)
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -BodyParameter $body
Use the Graph Explorer to choose which group owner consent policy governs user consent group owners' ability to consent to applications accessing your organization's data for the groups they own.
Disable group owner consent to use app consent policies using Microsoft Graph API
Check if the
ManagePermissionGrantPoliciesForOwnedResourceis scoped ingroup.- Retrieve the current value for the group owner consent setting
GET https://graph.microsoft.com/v1.0/policies/authorizationPolicyIf
ManagePermissionGrantsForOwnedResourceis returned inpermissionGrantPolicyIdsAssignedToDefaultUserRole, your group owner consent setting might have been governed by the app consent policy.2.Check if the policy is scoped to
group.GET https://graph.microsoft.com/beta/policies/permissionGrantPolicies/{microsoft-all-application-permissions-for-group}If
resourceScopeType==group, your group owner consent setting has been governed by the app consent policy.To disable group owner consent to utilize app consent policies, ensure that the consent policies (
PermissionGrantPoliciesAssigned) include the currentManagePermissionGrantsForSelf.*policy and other currentManagePermissionGrantsForOwnedResource.*policies if any that aren't applicable to groups. This way, you can maintain your current configuration for user consent settings and other resource consent settings.PATCH https://graph.microsoft.com/beta/policies/authorizationPolicy { "defaultUserRolePermissions": { "permissionGrantPoliciesAssigned": [ "managePermissionGrantsForSelf.{current-policy-for-user-consent}", "managePermissionGrantsForOwnedResource.{other-policies-that-are-not-applicable-to-groups}" ] } }
Assign an app consent policy to group owners using Microsoft Graph API
To allow group owner consent subject to an app consent policy, choose which app consent policy should govern group owners' authorization to grant consent to apps. Ensure that the consent policies (PermissionGrantPoliciesAssigned) include the current ManagePermissionGrantsForSelf.* policy and other current ManagePermissionGrantsForOwnedResource.* policies if any while updating the collection. This way, you can maintain your current configuration for user consent settings and other resource consent settings.
PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy
{
"defaultUserRolePermissions": {
"managePermissionGrantsForSelf.{current-policy-for-user-consent}",
"managePermissionGrantsForOwnedResource.{other-policies-that-are-not-applicable-to-groups}",
"managePermissionGrantsForOwnedResource.{app-consent-policy-id-for-group}"
}
}
Replace {app-consent-policy-id-for-group} with the ID of the policy you want to apply for groups. You can choose a custom app consent policy for groups that you've created, or you can choose from the following built-in policies:
| ID | Description |
|---|---|
| microsoft-pre-approval-apps-for-group | Allow group owner consent to pre-approved apps only Allow group owners consent only for apps preapproved by admins for the groups they own. |
| microsoft-all-application-permissions-for-group | Allow group owner consent to apps This option allows all group owners to consent to any permission that doesn't require admin consent, for any application, for the groups they own. It includes apps that have been preapproved by permission grant preapproval policy for group resource-specific-consent. |
For example, to enable group owner consent subject to the built-in policy microsoft-pre-approval-apps-for-group, use the following PATCH command:
PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy
{
"defaultUserRolePermissions": {
"permissionGrantPoliciesAssigned": [
"managePermissionGrantsForSelf.{current-policy-for-user-consent}",
"managePermissionGrantsForOwnedResource.{other-policies-that-are-not-applicable-to-groups}",
"managePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-group"
]
}
}
Next steps
To get help or find answers to your questions:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for