Edit

Microsoft Entra consent requests

  • Article

Namespace: microsoft.graph

Microsoft Entra consent requests help you manage the request workflow for users attempting to access apps that require admin approval.

Before an app can be used to access any data in your organization, the admin must consent for it to be used in the tenant. In addition, before a user can grant a consented application specific permissions to act on their behalf, the admin must also consent for users to be allowed to consent to those permissions for the app. Consent management is one way that Microsoft Entra ID helps organizations to enforce application and data security.

The Microsoft Entra consent workflow allows users to request the tenant admins to grant consent to apps that require admin approval. The consent requests APIs in Microsoft Graph allows admin to configure the consent workflow and track consent requests for both apps and users.

Note

The current APIs are limited to configuring the workflow and reading the list of requests. At this time, there aren’t any methods available to programmatically approve or deny a request. However, the contents of the request can be used to recreate a URL which can be used to grant admin consent and approve a request.

Note

This article describes how to export personal data from a device or service. These steps can be used to support your obligations under the General Data Protection Regulation (GDPR). Authorized tenant admins can use Microsoft Graph to correct, update, or delete identifiable information about end users, including customer and employee user profiles or personal data, such as a user's name, work title, address, or phone number, in your Microsoft Entra ID environment.

The admin consent policy specifies whether users can request for admin consent for apps that require admin authorization for the tenant. Use the adminConsentRequestPolicy resource type and its associated methods to configure the admin consent workflow as follows:

  • Enable or disable the consent workflow.
  • Configure reviewers of admin consent requests.
  • Configure how long a pending request is valid before it expires and the principals who are notified of pending requests.

When a user requests for consent to use an app in the organization or to grant permissions to an app, they create a consent request for the app. App consent requests are retrieved through the appConsentRequest resource type and its associated methods.

You can:

  • Retrieve all app consent requests and the associated collection of user consent requests for the app. An app consent request may have one or more user consent requests representing multiple requests from the same or multiple users.
  • Retrieve the permissions that the user has requested for the app on their behalf.
  • Use $filter to match against pending requests.
  • Retrieve the app consent requests for which the signed-in user is the creator of the request.

When a user requests for consent to use an app in the organization or to grant permissions to an app, they create a consent request for the tenant admin to allow them to use the app. User consent requests are retrieved through the userConsentRequest resource type and its associated methods.

You can:

  • Retrieve the details about the user consent requests.
  • Retrieve the stages of approval that the consent request went through. The approval process is currently a single-stage process.
  • Retrieve the status of the approvals, whether pending or completed, and whether the reviewers decisions were to deny or approve the consent request.

Role and delegated permission authorization checks

The following directory roles are required for a calling application.

Operation Delegated permissions Required directory role of the calling user
Read ConsentRequest.Read.All, ConsentRequest.ReadWrite.All Global Reader, Cloud App Administrator, Application Administrator, or Global Administrator

Related content