Muokkaa

Jaa


App consent permissions for custom roles in Microsoft Entra ID

This article contains the currently available app consent permissions for custom role definitions in Microsoft Entra ID. In this article, you'll find the permissions required for some common scenarios related to app consent and permissions.

License requirements

Using this feature requires Microsoft Entra ID P1 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.

Use the permissions listed in this article to manage app consent policies, as well as the permission to grant consent to apps.

Note

The Microsoft Entra admin center does not yet support adding the permissions listed in this article to a custom directory role definition. You must use Microsoft Graph PowerShell to create a custom directory role with the permissions listed in this article.

To allow users to grant consent to applications on behalf of themselves (user consent), subject to an app consent policy.

  • microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.{id}

Where {id} is replaced by the ID of an app consent policy which will set the conditions which must be met for this permission to be active.

For example, to allow users to grant consent on their own behalf, subject to the built-in app consent policy with ID microsoft-user-default-low, you would use the permission ...managePermissionGrantsForSelf.microsoft-user-default-low.

To delegate tenant-wide admin consent to apps, for both delegated permissions and application permissions (app roles):

  • microsoft.directory/servicePrincipals/managePermissionGrantsForAll.{id}

Where {id} is replaced by the ID of an app consent policy which will set the conditions which must be met for this permission to be usable.

For example, to allow role assignees to grant tenant-wide admin consent to apps subject to a custom app consent policy with ID low-risk-any-app, you would use the permission microsoft.directory/servicePrincipals/managePermissionGrantsForAll.low-risk-any-app.

To delegate the creation, update and deletion of app consent policies.

  • microsoft.directory/permissionGrantPolicies/create
  • microsoft.directory/permissionGrantPolicies/standard/read
  • microsoft.directory/permissionGrantPolicies/basic/update
  • microsoft.directory/permissionGrantPolicies/delete

Full list of permissions

Permission Description
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.{id} Grants the ability to consent to apps on behalf of self (user consent), subject to app consent policy {id}.
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.{id} Grants the permission to consent to apps on behalf of all (tenant-wide admin consent), subject to app consent policy {id}.
microsoft.directory/permissionGrantPolicies/standard/read Read standard properties of permission grant policies
microsoft.directory/permissionGrantPolicies/basic/update Update basic properties of permission grant policies
microsoft.directory/permissionGrantPolicies/create Create permission grant policies
microsoft.directory/permissionGrantPolicies/delete Delete permission grant policies

Next steps