App consent permissions for custom roles in Microsoft Entra ID

This article contains the currently available app consent permissions for custom role definitions in Microsoft Entra ID. In this article, you'll find the permissions required for some common scenarios related to app consent and permissions.

License requirements

Using this feature requires Microsoft Entra ID P1 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.

App consent permissions

Use the permissions listed in this article to manage app consent policies, as well as the permission to grant consent to apps.

Note

The Microsoft Entra admin center does not yet support adding the permissions listed in this article to a custom directory role definition. You must use Microsoft Graph PowerShell to create a custom directory role with the permissions listed in this article.

Granting delegated permissions to apps on behalf of self (user consent)

To allow users to grant consent to applications on behalf of themselves (user consent), subject to an app consent policy.

• microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.{id}

Where {id} is replaced by the ID of an app consent policy which will set the conditions which must be met for this permission to be active.

For example, to allow users to grant consent on their own behalf, subject to the built-in app consent policy with ID microsoft-user-default-low, you would use the permission ...managePermissionGrantsForSelf.microsoft-user-default-low.

Granting permissions to apps on behalf of all (admin consent)

To delegate tenant-wide admin consent to apps, for both delegated permissions and application permissions (app roles):

• microsoft.directory/servicePrincipals/managePermissionGrantsForAll.{id}

Where {id} is replaced by the ID of an app consent policy which will set the conditions which must be met for this permission to be usable.

For example, to allow role assignees to grant tenant-wide admin consent to apps subject to a custom app consent policy with ID low-risk-any-app, you would use the permission microsoft.directory/servicePrincipals/managePermissionGrantsForAll.low-risk-any-app.

Managing app consent policies

To delegate the creation, update and deletion of app consent policies.

• microsoft.directory/permissionGrantPolicies/create
• microsoft.directory/permissionGrantPolicies/standard/read
• microsoft.directory/permissionGrantPolicies/basic/update
• microsoft.directory/permissionGrantPolicies/delete

Full list of permissions

Permission	Description
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.{id}	Grants the ability to consent to apps on behalf of self (user consent), subject to app consent policy {id}.
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.{id}	Grants the permission to consent to apps on behalf of all (tenant-wide admin consent), subject to app consent policy {id}.
microsoft.directory/permissionGrantPolicies/standard/read	Read standard properties of permission grant policies
microsoft.directory/permissionGrantPolicies/basic/update	Update basic properties of permission grant policies
microsoft.directory/permissionGrantPolicies/create	Create permission grant policies
microsoft.directory/permissionGrantPolicies/delete	Delete permission grant policies

Next steps

• Create and assign a custom role in Microsoft Entra ID
• View the assignments for a custom role