Configure group and team owner consent to applications

  • Article

In this article, you'll learn how to configure the way group and team owners consent to applications and how to disable all future group and team owners' consent operations to applications.

Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. For example, a team owner in Microsoft Teams can allow an app to read all Teams messages in the team, or list the basic profile of a group's members. See Resource-specific consent in Microsoft Teams to learn more.

Group owner consent can be managed in two separate ways: through Microsoft Entra admin center and creation of app consent policies. In the Microsoft Entra admin center, you can enable all groups owner, enable selected group owner, or disable group owners' ability to give consent to applications. On the other hand, app consent policies enable you to specify which app consent policy governs the group owner consent for applications. You then have the flexibility to assign either a Microsoft built-in policy or create your own custom policy to effectively manage the consent process for group owners.

Before creating the app consent policy to manage your group owner consent, you need to disable the group owner consent setting through the Microsoft Entra admin center. Disabling this setting allows for group owner consent subject to app consent policies. You can learn how to disable the group owner consent setting in various ways in this article. Learn more about managing group owner consent by app consent policies tailored to your needs.

Prerequisites

To configure group and team owner consent, you need:

You can configure which users are allowed to consent to apps accessing their groups' or teams' data, or you can disable the setting for all users.

Tip

Steps in this article might vary slightly based on the portal you start from.

To configure group and team owner consent settings through the Microsoft Entra admin center:

Follow these steps to manage group owner consent to apps accessing group data:

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
  2. Browse to Identity > Applications > Enterprise applications > Consent and permissions > User consent settings.
  3. Under Group owner consent for apps accessing data select the option you'd like to enable.
  4. Select Save to save your settings.

In this example, all group owners are allowed to consent to apps accessing their groups' data:

Group owner consent settings

You can use the Microsoft Graph PowerShell module to enable or disable group owners' ability to consent to applications accessing your organization's data for the groups they own. The cmdlets in this section are part of the Microsoft.Graph.Identity.SignIns module.

Connect to Microsoft Graph PowerShell and sign in as at least a Privileged Role Administrator. For reading the current user consent settings, use Policy.Read.All permission. For reading and changing the user consent settings, use Policy.ReadWrite.Authorization permission.

  1. Change the profile to beta by using the Select-MgProfile command.

    Select-MgProfile -Name "beta"

  2. Use the least-privilege permission

    Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "Policy.ReadWrite.Authorization"

# If you need to create a new setting based on the templates, please use this permission
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "Directory.ReadWrite.All"

Retrieve the current setting using Microsoft Graph PowerShell

Retrieve the current value for the Consent Policy Settings directory settings in your tenant. This requires checking if the directory settings for this feature have been created, and if not, using the values from the corresponding directory settings template.

$consentSettingsTemplateId = "dffd5d46-495d-40a9-8e21-954ff55e198a" # Consent Policy Settings
$settings = Get-MgDirectorySetting | ?{ $_.TemplateId -eq $consentSettingsTemplateId }

if (-not $settings) {
    $template = Get-MgDirectorySettingTemplate -DirectorySettingTemplateId $consentSettingsTemplateId
    $body = @{
                "templateId" = $template.Id
                "values" = @(
                    @{
                        "name" = "EnableGroupSpecificConsent"
                        "value" = $true
                    },
                    @{
                        "name" = "BlockUserConsentForRiskyApps"
                        "value" = $true
                    },
                    @{
                        "name" = "EnableAdminConsentRequests"
                        "value" = $true
                    },
                    @{
                        "name" = "ConstrainGroupSpecificConsentToMembersOfGroupId"
                        "value" = ""
                    }
                )
    }
    $settings = New-MgDirectorySetting -BodyParameter $body
}

$enabledValue = $settings.Values | ? { $_.Name -eq "EnableGroupSpecificConsent" }
$limitedToValue = $settings.Values | ? { $_.Name -eq "ConstrainGroupSpecificConsentToMembersOfGroupId" }

Understand the setting values in Microsoft Graph PowerShell

There are two settings values that define which users would be able to allow an app to access their group's data:

Setting Type Description
EnableGroupSpecificConsent Boolean Flag indicating if groups owners are allowed to grant group-specific permissions.
ConstrainGroupSpecificConsentToMembersOfGroupId Guid If EnableGroupSpecificConsent is set to "True" and this value set to a group's object ID, members of the identified group will be authorized to grant group-specific permissions to the groups they own.

Update settings values for the desired configuration using Microsoft Graph PowerShell

# Disable group-specific consent entirely
$enabledValue.Value = "false"
$limitedToValue.Value = ""

# Enable group-specific consent for all users
$enabledValue.Value = "true"
$limitedToValue.Value = ""

# Enable group-specific consent for users in a given group
$enabledValue.Value = "true"
$limitedToValue.Value = "{group-object-id}"

Save your settings using Microsoft Graph PowerShell


```powershell
# Update an existing directory settings
Update-MgDirectorySetting -DirectorySettingId $settings.Id -Values $settings.Values

Note

User can consent to apps accessing company data on their behalf setting, when turned off, doesn't disable the Users can consent to apps accessing company data for groups they own option.

You can configure which users are allowed to consent to apps accessing their groups' or teams' data through app consent policies. To allow group owner consent subject to app consent policies, the group owner consent setting must be disabled. Once disabled, your current policy is read from app consent policies.

To choose which app consent policy governs user consent for applications, you can use the Microsoft Graph PowerShell module. The cmdlets used here are included in the Microsoft.Graph.Identity.SignIns module.

Connect to Microsoft Graph PowerShell using the least-privilege permission needed. For reading the current user consent settings, use Policy.Read.All. For reading and changing the user consent settings, use Policy.ReadWrite.Authorization. You need to sign in as a Privileged Role Administrator.

# change the profile to beta by using the `Select-MgProfile` command
Select-MgProfile -Name "beta".

Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "Policy.ReadWrite.Authorization"

  1. Check if the ManagePermissionGrantPoliciesForOwnedResource is scoped in group.

    1. Retrieve the current value for the group owner consent setting.

        Get-MgPolicyAuthorizationPolicy | select -ExpandProperty DefaultUserRolePermissions | ft PermissionGrantPoliciesAssigned

    If ManagePermissionGrantPoliciesForOwnedResource is returned in PermissionGrantPoliciesAssigned, your group owner consent setting might have been governed by the app consent policy.

    1. Check if the policy is scoped to group.

        Get-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId {"microsoft-all-application-permissions-for-group"} | ft AdditionalProperties

      If resourceScopeType == group, your group owner consent setting has been governed by the app consent policy.

  2. To disable group owner consent to utilize app consent policies, ensure that the consent policies (PermissionGrantPoliciesAssigned) include the current ManagePermissionGrantsForSelf.* policy and other current ManagePermissionGrantsForOwnedResource.* policies if any that aren't applicable to groups while updating the collection. This way, you can maintain your current configuration for user consent settings and other resource consent settings.

    # only exclude policies that are scoped in group
$body = @{
    "permissionGrantPolicyIdsAssignedToDefaultUserRole" = @(
        "managePermissionGrantsForSelf.{current-policy-for-user-consent}",
        "managePermissionGrantsForOwnedResource.{other-policies-that-are-not-applicable-to-groups}" 
    )
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -BodyParameter $body

To allow group owner consent subject to an app consent policy, choose which app consent policy should govern group owners' authorization to grant consent to apps. Ensure that the consent policies (PermissionGrantPoliciesAssigned) include the current ManagePermissionGrantsForSelf.* policy and other ManagePermissionGrantsForOwnedResource.* policies if any while updating the collection. This way, you can maintain your current configuration for user consent settings and other resource consent settings.

$body = @{
    "permissionGrantPolicyIdsAssignedToDefaultUserRole" = @(
        "managePermissionGrantsForSelf.{current-policy-for-user-consent}",
        "managePermissionGrantsForOwnedResource.{other-policies-that-are-not-applicable-to-groups}",
        "managePermissionGrantsForOwnedResource.{app-consent-policy-id-for-group}" #new app consent policy for groups
    )
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -BodyParameter $body

Replace {app-consent-policy-id-for-group} with the ID of the policy you want to apply. You can choose a custom app consent policy that you've created, or you can choose from the following built-in policies:

ID Description
microsoft-pre-approval-apps-for-group Allow group owner consent to pre-approved apps only
Allow group owners consent only for apps preapproved by admins for the groups they own.
microsoft-all-application-permissions-for-group Allow group owner consent to apps
This option allows all group owners to consent to any permission that doesn't require admin consent, for any application, for the groups they own. It includes apps that have been preapproved by permission grant preapproval policy for group resource-specific-consent.

For example, to enable group owner consent subject to the built-in policy microsoft-all-application-permissions-for-group, run the following commands:

$body = @{
    "permissionGrantPolicyIdsAssignedToDefaultUserRole" = @(
        "managePermissionGrantsForSelf.{current-policy-for-user-consent}",
        "managePermissionGrantsForOwnedResource.{all-policies-that-are-not-applicable-to-groups}",
        "managePermissionGrantsForOwnedResource.{microsoft-all-application-permissions-for-group}" # policy that is be scoped to group
    )
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId authorizationPolicy -BodyParameter $body

Next steps

To get help or find answers to your questions: