Enterprise Apps: Users, Consent & Collections

Understanding consent in Entra ID

The consent framework

User consent vs admin consent

Aspect	User Consent	Admin Consent
Who approves	The individual user	A Global Admin or Cloud Application Admin
Scope	Only for that user’s data	For the entire organisation
Permission types	Low-risk, delegated permissions only	Any permission, including application-level
Risk level	Lower (limited scope)	Higher (organisation-wide impact)
Control	Can be restricted or disabled by admins	Always available to admins

Consent settings — the three options

In Entra admin center → Enterprise applications → Consent and permissions → User consent settings, you choose one of three options:

Setting	What Happens
Do not allow user consent	Users can never consent. Every app requires admin consent. Most secure but creates bottleneck.
Allow user consent for apps from verified publishers, for selected permissions	Users can consent only if the app publisher is Microsoft-verified AND the permissions are in your allowed set. Recommended balance.
Allow user consent for all apps	Users can consent to any app for any delegated permission. Least secure — not recommended.

💡 Exam tip: Verified publishers

Verified publishers are app developers who have verified their identity with Microsoft using their Microsoft Partner Network (MPN) account. A blue “verified” badge appears on the consent prompt. The recommended consent setting limits user consent to verified publishers only — this dramatically reduces the risk of illicit consent grant attacks while still allowing employees to use trusted apps.

Admin consent workflow

The admin consent workflow bridges the gap between “no user consent” (too restrictive) and “all user consent” (too risky):

User tries to access an app
    ↓ Consent required but user can't consent
User submits a consent request (with justification)
    ↓ Notification sent to designated reviewers
Admin reviews the request
    ↓ Approves or denies
If approved → admin consent is granted for the org
    ↓ User (and everyone assigned) can now access the app

Configuring the workflow:

1. Entra admin center → Enterprise applications → Admin consent settings
2. Enable Users can request admin consent to apps they are unable to consent to
3. Select reviewers (specific users or roles — e.g., Cloud Application Administrators)
4. Set notification options (email notifications to reviewers)
5. Set request expiry (how long before unanswered requests expire)

ℹ️ Scenario: Priya manages the consent workflow at Meridian Health

🔐 Priya Sharma at Meridian Health needs to balance security with productivity:

• Problem: Developers keep requesting apps that need Graph API access. With user consent fully disabled, every request goes to the Global Admin — who has a 3-day backlog.

Priya’s solution:

1. Sets user consent to “Allow for verified publishers, for selected permissions” — covers low-risk apps automatically
2. Enables the admin consent workflow with Cloud Application Administrators as reviewers
3. Sets request expiry to 30 days
4. Adds email notifications so reviewers are alerted immediately

Result: Employees can self-serve for verified, low-risk apps. Unknown or risky apps trigger the workflow. Priya’s team reviews requests within 24 hours instead of 3 days. Illicit consent grant risk is dramatically reduced.

Assigning users, groups, and app roles

User and group assignment

When “Assignment required?” is set to Yes on an enterprise app, you control access by assigning:

• Individual users — direct assignment for small teams
• Security groups — recommended for scale (assign one group, manage membership separately)
• M365 groups — works too, but security groups are more common for app access

Assignment steps:

1. Enterprise application → Users and groups → Add user/group
2. Select users or groups
3. Select a role (if app roles are defined) — otherwise “Default Access” is assigned
4. Click Assign

App roles

App roles let you define custom permission levels within an application. Instead of just “can access” or “can’t access,” you get granular control:

Example App Role	Description	Who Gets It
Admin	Full access to all features	IT administrators
Editor	Can create and edit content	Department managers
Viewer	Read-only access	General staff
Auditor	Can view audit logs only	Compliance team

App roles are defined in the app registration (developer side) and assigned in the enterprise application (consumer side).

ℹ️ Scenario: Jake assigns app roles at Coastline Creative

🏪 Jake Torres at Coastline Creative has a project management SaaS app with three roles: Admin, Project Manager, and Viewer.

1. Jake opens the enterprise app → Users and groups
2. Assigns himself the Admin role
3. Assigns the “Design Team” group the Project Manager role
4. Assigns “All Staff” group the Viewer role

When a designer signs in, the app receives a token with the claim roles: ["ProjectManager"]. The app uses this claim to show the right features. When an intern signs in, they get roles: ["Viewer"] — they can see projects but can’t edit them.

💡 Exam tip: Where roles are defined vs assigned

This is a common exam confusion:

• App roles are defined in the App registration → App roles blade (developer side)
• App roles are assigned in the Enterprise application → Users and groups blade (admin side)
• Roles appear as claims in the token — the application reads these claims to enforce authorisation

Application collections (My Apps)

Application collections organise apps in the My Apps portal (myapps.microsoft.com) into logical groups so users can find what they need quickly.

Without collections: Users see a flat list of 50+ apps — confusing and hard to navigate. With collections: Apps are grouped into tabs like “HR Tools,” “Finance,” “Engineering,” “Training.”

Creating collections

1. Entra admin center → Enterprise applications → App launchers → Collections
2. Click New collection
3. Name the collection (e.g., “Finance Tools”)
4. Add applications to the collection
5. Assign users or groups who should see this collection

Key points:

• Each collection is visible only to the users/groups assigned to it
• An app can appear in multiple collections
• Collections support a default collection where unorganised apps appear
• Collections use Entra ID P1 or P2 licence

ℹ️ Scenario: Priya organises My Apps for Meridian Health

🔐 Priya creates collections for Meridian Health’s 5,000 staff:

Collection	Apps	Assigned To
Clinical	Epic, PACS Viewer, Lab Portal	Clinical Staff group
HR & Finance	Workday, Concur, SAP	HR group, Finance group
IT Tools	ServiceNow, Intune, Azure Portal	IT Staff group
Everyone	Teams Web, SharePoint, Outlook Web	All employees

Result: A nurse logging into My Apps sees “Clinical” and “Everyone” tabs — not 50 apps they’ll never use. An HR analyst sees “HR & Finance” and “Everyone.” Clean, relevant, role-appropriate.

🎬 Video walkthrough

🎬 Video coming soon

Consent, App Roles & Collections — SC-300 Module 18

Consent, App Roles & Collections — SC-300 Module 18

~11 min

Flashcards

Question

What is an illicit consent grant attack?

Click or press Enter to reveal answer

Answer

An attack where a malicious app tricks a user into granting broad permissions (like reading all emails or files). The attacker creates a legitimate-looking app, the user consents, and the app uses those permissions to exfiltrate data. Mitigated by restricting user consent to verified publishers only.

Click to flip back

Question

What is the admin consent workflow?

Click or press Enter to reveal answer

Answer

A managed process where users request access to apps that require admin consent. The request goes to designated reviewers (admins), who approve or deny. This balances security (no uncontrolled user consent) with usability (users aren't blocked — they can request access).

Click to flip back

Question

Where are app roles defined vs where are they assigned?

Click or press Enter to reveal answer

Answer

App roles are defined in the App registration (developer side) → App roles blade. They are assigned in the Enterprise application (admin side) → Users and groups blade. The assigned roles appear as claims in the user's token.

Click to flip back

Question

What are application collections in My Apps?

Click or press Enter to reveal answer

Answer

Logical groupings of enterprise apps displayed as tabs in the My Apps portal (myapps.microsoft.com). Admins create collections, add apps, and assign them to specific users or groups so each person sees only relevant apps. Requires Entra ID P1 or P2.

Click to flip back

Knowledge Check

Knowledge Check

Priya wants to allow Meridian Health staff to consent to low-risk apps from trusted publishers, but require admin approval for everything else. What should she configure?

ASet user consent to 'Allow user consent for all apps' and enable the admin consent workflowBSet user consent to 'Do not allow user consent' and disable the admin consent workflowCSet user consent to 'Allow user consent for apps from verified publishers, for selected permissions' and enable the admin consent workflowDDisable consent entirely and manually install every app for every user

Check Answer

Knowledge Check

Jake at Coastline Creative has a project management app with Admin, Project Manager, and Viewer roles. Where does Jake define these roles, and where does he assign them to users?

ADefine roles in Enterprise application → Properties. Assign in Enterprise application → Users and groups.BDefine roles in App registration → App roles. Assign in Enterprise application → Users and groups.CDefine roles in Enterprise application → Users and groups. Assign in App registration → App roles.DDefine roles in Conditional Access policies. Assign in Enterprise application → Single sign-on.

Check Answer

Knowledge Check

A user at Meridian Health tries to use a new analytics app. The consent prompt says the app wants to 'read all users' mailbox contents.' The app publisher is NOT a verified publisher. What happens if Priya has configured the recommended consent settings?

AThe user can consent because the permission is delegatedBThe user is blocked and the app is automatically quarantinedCThe user is prompted to submit a consent request through the admin consent workflowDThe user must contact Microsoft support to verify the publisher

Check Answer

---

Next up: App Registrations: Build & Secure — how to register custom applications, configure authentication, API permissions, and app roles from the developer side.