Forum Discussion

ivebeenchosen's avatar
ivebeenchosen
Copper Contributor
Oct 03, 2023

Azure apps: User consent settings

Hello Apps on Azure community,

 

In the settings of Microsoft Entra ID -> Consent and Permissions, our tenants settings is set to:

Allow user consent for apps
All users can consent for any app to access the organization's data.

We would like to change that to the Microsofts recommended setting of:

Allow user consent for apps from verified publishers, for selected permissions (Recommended)
All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.

as per: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal&pivots=portal

 

The challenge:

We are unsure of the implications of this change on our already registered Apps. We have some Enterprise applications/App registrations that are not, as Microsoft calls it, from "Verified publishers", that are, for example, setup to be used as SSO SAML authentications with our internal time registration system. It's not an app that a user needs to consent to be able to use, but an app that has delegated user access through AAD-groups.

I may be overthinking this, but I want to be sure that when we change the user consent setting to the recommended setting, it does not affect any of our internal published apps.

 

What about new users, will they still be able to access these apps, or take part of the SSO-functions, without any issues?

 

Does anyone have any experience with this type of situation?

azure functions

1 Reply

  • samy_vanderspikken's avatar
    samy_vanderspikken
    Brass Contributor
    Nov 03, 2023

    Hi ivebeenchosen,

     

     

    Changing the 'Consent and Permissions' setting to the Microsoft recommended option. Will not have any impact on the already configured SAML configuration in your tenant. Because all the published apps and apps registered in your organization will be allowed (SAML included).

     

    In other words, all internal apps registered in your Entra ID tenant will be allowed.

     

    And to answer your last questions:

     

    1. Yes, but make sure to add your new users or security groups to your registered SAML Enterprise Application within 'users and groups'

     

     

    2. I work for a MSP and one of our client has a Fortigate SSL VPN setup with SAML and the recommended Microsoft Consent settings configured, without having any issues.

     

    Please let me know if you have any other questions!

     

     

Resources