App consent policies are a way to manage the permissions that apps have to access data in your organization. They're used to control what apps users can consent to and to ensure that apps meet certain criteria before they can access data. These policies help organizations maintain control over their data and ensure that it's being accessed only by trusted apps.
In this article, you learn how to manage built-in and custom app consent policies to control when group owner consent can be granted.
A group owner consent policy consists of zero or more "include" condition sets and zero or more "exclude" condition sets. For an event to be considered in a group owner consent policy, the "include" condition set must not match any "exclude" condition set.
Each condition set consists of several conditions. For an event to match a condition set, all conditions in the condition set must be met.
Group owner consent policies where the ID begins with "microsoft-" are built-in policies. For example, the microsoft-pre-approval-apps-for-group group owner consent policy describes the conditions under which the group owners are allowed to grant consent to applications from the preapproved list by the admin to access data for the groups they own. Built-in policies can be used in custom directory roles and to configure user consent settings, but can't be edited or deleted.
Prerequisites
A user or service with one of the following roles:
The Microsoft Graph app role (application permission) Policy.ReadWrite.PermissionGrant (when connecting as an app or a service)
To allow group owner consent subject to app consent policies, the group owner consent setting must be disabled. Once disabled, your current policy is read from the app consent policy. To learn how to disable group owner consent, see Disable group owner consent setting
To manage group owner consent policies for applications with Microsoft Graph PowerShell, connect to Microsoft Graph PowerShell and sign in with one of the roles listed in the prerequisites section. You also need to consent to the Policy.ReadWrite.PermissionGrant permission.
PowerShell
# change the profile to beta by using the `Select-MgProfile` commandSelect-MgProfile -Name"beta"
Retrieve the current value for the group owner consent policy using PowerShell
Learn how to verify if your group owner consent setting has been authorized in other ways.
Retrieve the current value for the group owner consent setting
PowerShell
Get-MgPolicyAuthorizationPolicy | select -ExpandProperty DefaultUserRolePermissions | ft PermissionGrantPoliciesAssigned
If ManagePermissionGrantPoliciesForOwnedResource is returned in PermissionGrantPoliciesAssigned, your group owner consent setting might have been authorized in other ways.
If ResourceScopeType == group, your group owner consent setting has been authorized in other ways. In addition, if the app consent policy for groups has been assigned microsoft-pre-approval-apps-for-group, it means the preapproval feature is enabled for your tenant.
List existing group owner consent policies using PowerShell
It's a good idea to start by getting familiar with the existing group owner consent policies in your organization:
List all group owner consent policies:
PowerShell
Get-MgPolicyPermissionGrantPolicy | ft Id, DisplayName, Description
Create a custom group owner consent policy using PowerShell
Follow these steps to create a custom group owner consent policy:
Create a new empty group owner consent policy.
PowerShell
New-MgPolicyPermissionGrantPolicy `
-Id"my-custom-app-consent-policy-for-group" `
-DisplayName"My first custom app consent policy for group" `
-Description"This is a sample custom app consent policy for group." `
-AdditionalProperties @{includeAllPreApprovedApplications = $false; resourceScopeType = "group"}
Add "include" condition sets.
PowerShell
# Include delegated permissions classified "low", for apps from verified publishersNew-MgPolicyPermissionGrantPolicyInclude `
-PermissionGrantPolicyId"my-custom-app-consent-policy-for-group" `
-PermissionType"delegated" `
-PermissionClassification"low" `
-ClientApplicationsFromVerifiedPublisherOnly
Repeat this step to add more "include" condition sets.
Optionally, add "exclude" condition sets.
PowerShell
# Retrieve the service principal for the Azure Management API$azureApi = Get-MgServicePrincipal -Filter"servicePrincipalNames/any(n:n eq 'https://management.azure.com/')"# Exclude delegated permissions for the Azure Management APINew-MgPolicyPermissionGrantPolicyExclude `
-PermissionGrantPolicyId"my-custom-app-consent-policy-for-group" `
-PermissionType"delegated" `
-ResourceApplication$azureApi.AppId
Repeat this step to add more "exclude" condition sets.
Once the app consent policy for group has been created, you can allow group owners consent subject to this policy.
Delete a custom group owner consent policy using PowerShell
The following shows how you can delete a custom group owner consent policy.
To manage group owner consent policies, sign in to Graph Explorer with one of the roles listed in the prerequisite section. You also need to consent to the Policy.ReadWrite.PermissionGrant permission.
Retrieve the current value for the group owner consent policy using Microsoft Graph
Learn how to verify if your group owner consent setting has been authorized in other ways.
Retrieve the current policy value
HTTP
GET /policies/authorizationPolicy
If ManagePermissionGrantPoliciesForOwnedResource appears, your group owner consent setting might have been authorized in other ways.
Check if the policy is scoped to group
HTTP
GET /policies/permissionGrantPolicies/{ microsoft-all-application-permissions-for-group }
If resourceScopeType == group, your group owner consent setting has been authorized in other ways. In addition, if the app consent policy for groups has been assigned microsoft-pre-approval-apps-for-group, it means the preapproval feature is enabled for your tenant.
List existing group owner consent policies using Microsoft Graph
It's a good idea to start by getting familiar with the existing group owner consent policies in your organization:
List all app consent policies:
HTTP
GET /policies/permissionGrantPolicies
View the "include" condition sets of a policy:
HTTP
GET /policies/permissionGrantPolicies/{ microsoft-all-application-permissions-for-group }/includes
View the "exclude" condition sets:
HTTP
GET /policies/permissionGrantPolicies/{ microsoft-all-application-permissions-for-group }/excludes
Create a custom group owner consent policy using Microsoft Graph
Follow these steps to create a custom group owner consent policy:
Create a new empty group owner consent policy.
HTTP
POST https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies
{
"id": "my-custom-app-consent-policy-for-group",
"displayName": "My first custom app consent policy for group",
"description": "This is a sample custom app consent policy for group",
"includeAllPreApprovedApplications": false,
"resourceScopeType": "group"
}
Add "include" condition sets.
Include delegated permissions classified "low" for apps from verified publishers
Deleted group owner consent policies cannot be restored. If you accidentally delete a custom group owner consent policy, you will need to re-create the policy.
Supported conditions
The following table provides the list of supported conditions for group owner consent policies.
Condition
Description
PermissionClassification
The permission classification for the permission being granted, or "all" to match with any permission classification (including permissions that aren't classified). Default is "all".
PermissionType
The permission type of the permission being granted. Use "application" for application permissions (for example, app roles) or "delegated" for delegated permissions.
Note: The value "delegatedUserConsentable" indicates delegated permissions that haven't been configured by the API publisher to require admin consent. This value can be used in built-in permission grant policies, but can't be used in custom permission grant policies. Required.
ResourceApplication
The AppId of the resource application (for example, the API) for which a permission is being granted, or "any" to match with any resource application or API. Default is "any".
Permissions
The list of permission IDs for the specific permissions to match with, or a list with the single value "all" to match with any permission. Default is the single value "all". - Delegated permission IDs can be found in the OAuth2Permissions property of the API's ServicePrincipal object. - Application permission IDs can be found in the AppRoles property of the API's ServicePrincipal object.
ClientApplicationIds
A list of AppId values for the client applications to match with, or a list with the single value "all" to match any client application. Default is the single value "all".
ClientApplicationTenantIds
A list of Microsoft Entra tenant IDs in which the client application is registered, or a list with the single value "all" to match with client apps registered in any tenant. Default is the single value "all".
ClientApplicationPublisherIds
A list of Microsoft Partner Network (MPN) IDs for verified publishers of the client application, or a list with the single value "all" to match with client apps from any publisher. Default is the single value "all".
ClientApplicationsFromVerifiedPublisherOnly
Set this switch to only match on client applications with a verified publishers. Disable this switch (-ClientApplicationsFromVerifiedPublisherOnly:$false) to match on any client app, even if it doesn't have a verified publisher. Default is $false.
Warning
Deleted group owner consent policies can't be restored. If you accidentally delete a custom group owner consent policy, you will need to re-create the policy.