Restrict App Consent and Permissions Hardening Microsoft Entra Enterprise Apps

If attackers can’t phish a password, they’ll just ask for permission instead.

That is exactly how consent phishing works: a user is tricked into approving an app that looks genuine, granting it silent access to mailboxes, OneDrive, or Teams data.

Microsoft Entra ID now gives administrators more control to stop this.
By restricting who can grant app consent, setting up admin approval workflows, and classifying permissions by sensitivity, you can close one of the most common attack paths in Microsoft 365.

Never miss an article and subscribe, and don’t forget to subscribe to my YouTube channel, Control Alt Delete Tech Bits

Restrict App Consent and Permissions – Review user consent settings

Microsoft Entra admin centre > Entra ID > Enterprise apps > Consent and permissions > User consent settings

This page defines what level of freedom users have to grant app permissions.
Under User consent for applications, choose one of three options:

1. Allow user consent for apps – the least secure option, suitable only for dev tenants.
2. Allow user consent for verified publishers only – a safe baseline for production.
3. Do not allow user consent – fully centralised control.

If you already manage app onboarding centrally, select Do not allow user consent.
For mixed environments, select Allow user consent for verified publishers only so users can still approve trusted apps without opening the door to unverified publishers.

Configure the admin consent workflow

Microsoft Entra admin centre > Entra ID > Enterprise apps > Consent and permissions > Admin consent settings

Turn on the setting Users can request admin consent to apps they are unable to consent to.
This creates a managed workflow: users can request access to an app, and administrators can approve or deny through the portal or email notification.

You can specify one or more reviewers and an expiry for requests. This keeps visibility centralised while maintaining productivity for legitimate app usage.

Classify permissions by risk level

Microsoft Entra admin centre > Entra ID > Enterprise apps > Consent and permissions > Permission classifications

Here you can group OAuth permissions into Low, Medium (Preview), and High (Preview) categories to reflect the level of access they grant.

Select + Add permissions and start with low-risk scopes such as:

• User.Read – sign in and read user profile
• offline_access – maintain access to data the user has given
• openid – sign users in
• profile – view basic profile data
• email – view user email address

These default scopes are safe to tag as Low risk. You can later add Medium or High categories for delegated permissions that allow modification of files, sending mail, or accessing all users’ data.

Restrict consent to selected groups

Microsoft Entra admin centre > Entra ID > Enterprise apps > Consent and permissions > User consent settings

Scroll down to Restrict user consent to selected groups and select a dedicated security group, for example App Consent Approvers.
Only members of this group can grant consent to new applications on behalf of the organisation.

This gives flexibility to trusted administrators or power users without reopening full tenant-wide consent.

If you use an approval workflow, combine both controls so that only members of the consent approvers group receive the requests.

Monitor consent activity in audit logs

Microsoft Entra admin centre > Entra ID > Monitoring & health > Audit logs

In the filter bar, select Activity = Consent to application to view all consent events.
You can export results to CSV or connect your logs to Log Analytics for continuous monitoring.

Typical events to investigate include:

• Unexpected new app consents granted by standard users
• Admin consents for apps that are unverified or outside expected use
• High-privilege permission grants, such as full mailbox or directory access

Protect enterprise applications with Conditional Access

Microsoft Entra admin centre > Entra ID > Protection > Conditional Access > + New policy

Name the policy Enforce MFA for Enterprise Apps and target selected cloud apps that users access through OAuth.
Under Grant, require multifactor authentication or a compliant device.

This ensures even legitimate, approved apps require strong authentication before a token can be issued. It reduces the risk of token replay or access from unmanaged devices.

Regular reviews and clean-up

Plan a quarterly review using the Enterprise apps page. Remove unused or unverified apps and confirm that all permissions align with your classification levels. Document approved apps and publishers to maintain a clear audit trail.

Combine these reviews with a Privileged Identity Management access review for your App Consent Approvers group to confirm only active admins remain.

For example, A multi-academy trust introduced an approval workflow after discovering that several third-party classroom tools had unverified publishers. The IT team set user consent to verified publishers only, restricted consent to a dedicated group, and applied MFA through Conditional Access.

The result was a smaller, trusted set of integrated apps and complete visibility of who had granted each permission. User productivity stayed the same, while the security team gained confidence that OAuth abuse was no longer a blind spot.

Unrestricted app consent is one of the simplest routes for attackers into Microsoft 365 tenants.
By reviewing existing permissions, enforcing an approval process, and classifying scopes by sensitivity, you create a governance model that protects your organisation without slowing down legitimate collaboration.

Feel free to buy me a coffee to keep this website up and running

Check out this article: Manage Intune Windows 11 25H2 Settings to Block Recall, Remove Bloatware, and Control Copilot or video