On June 17th, in its Message Center, Microsoft announced a major upcoming change in the context of its Secure Future Initiative (SFI) that has a high impact on the way people in organizations interact with apps that access their Microsoft 365 data. Under message ID MC1097272, Microsoft announced they “will update default settings to enhance security by requiring admin consent for third-party app access.”
The Message Center in the Microsoft 365 Admin Center website provides organizations with a high-level overview of planned changes and how these changes may affect people in their organizations and people the organization collaborates with.
The Secure Future Initiative (SFI) is a multi-year commitment that Microsoft launched in November 2023, aimed at enhancing cybersecurity across Microsoft’s products, services, and operations. Microsoft established the initiative in response to the increasing scale and sophistication of cyberattacks. It aims to integrate security into every aspect of Microsoft’s technology development, ensuring that solutions meet the highest security standards.
Third-Party SaaS Applications are becoming a more common threat vector due to their vulnerabilities and lack of oversight, according to Microsoft’s 2024 Digital Defense Report.
While Microsoft touts this change as a Microsoft 365 update, it will be implemented in Microsoft 365’s underlying identity and access platform, Microsoft Entra.
If you’re an avid reader of the App Governance blogs, you would have figured out what this change is all about. You would have a leg up on admins who face this change with little to no knowledge of applications, API permissions, and consent in Microsoft Entra. If you’re new here, welcome to the world of application governance in Entra! Look through our Entra security and governance blog to get up to speed.
With the existing default settings, people in your organization and people you collaborate with can configure third–party apps to access files and site content. This can lead to overexposure of your organization’s content.
Microsoft is starting to change Entra tenants beginning in mid-July 2025 and intends to complete the change on all Entra tenants in scope by August 2025.
Microsoft intends to require admin consent for third-party apps accessing files and sites. This means that:
The change consists of three parts. Let us look at each of them one at a time:
On the User consent settings page of the Microsoft Entra admin center, admins can control when non-privileged users are allowed to grant consent to applications, and when they will be required to request administrator review and approval.
With the change that Microsoft proposes, the default setting on the User consent settings page of the Microsoft Entra admin center changes from Allow user consent for apps to Do not allow user consent: as in the screenshot below:
Figure 1. user consent settings in the Entra admin center
As a result, people in your organization will be unable to grant consent to third-party applications accessing their files and sites, by default. However, when you have previously configured the Allow user consent for apps from verified publishers, for selected permissions (Recommended), that setting will be honored.
To prevent productivity losses due to the absence of apps, tools, plug-ins, and agents, you might want to have people in your organization use them. That is why Microsoft is urging admins to configure the admin consent workflow. That way, people can request administrators to grant consent on their behalf.
Microsoft is unable to configure the admin consent workflow for all tenants, as the configuration of the admin consent workflow requires several business decisions regarding responsibilities, tasks, and processes. When you look at the the Admin consent settings page in the Entra admin center, you can clearly see why:
Figure 2. Admin consent settings in the Entra admin center
The screenshot clearly shows that, after enabling the admin consent workflow:
Microsoft-managed application consent policies
The options on the User consent settings and Admin consent settings pages are crude, but combined with the settings on the Permission classifications page, admins are presented with options to allow people in their organization to grant consent to applications with certain permissions:
Figure 3. Permission classifications page with one low permission allowed for user consent
We have discussed the possible impact of configuring the right low-privileged API permissions to allow when we talked about whether ‘Do not allow user consent’ should be the new Microsoft recommendation to tackle Malicious OAuth apps.
In Entra’s backend, the settings on all three pages are stored as application consent policies. These policies do not surface in the Entra admin center, but the default 13 Microsoft-managed policies are available when querying the Microsoft Graph through PowerShell.
The Get-MgPolicyPermissionGrantPolicy PowerShell cmdlet can be used for this purpose, and it provides information on each of the application consent policies:
Application consent policies allow admins to define far more granular consent policies than are available on the three pages in the Entra admin center by adding custom application consent policies. However, some changes may not be reflected in the Entra admin center.
Organizations who have applied custom user consent settings through custom application consent policies will not be affected by this change.
Have you changed the default settings?
If you have not changed the default user consent settings, this Microsoft change is going to result in a lot of complaints to your service desk, because people can no longer add their favorite apps, tools, add-ins, and agents. They can no longer grant consent to these apps.
Action: You need to enable and configure the admin consent workflow.
If you have changed the default settings, you may have done so using two methods:
If you have changed the default settings on the User consent settings, Admin consent settings and/or Classification permissions pages in the Entra admin center, now is an appropriate time to review these settings.
Action: review your settings.
When you have changed the default settings through custom application consent policies, you might also want to review your settings and make sure that no other department changes settings to align with Microsoft’s new default settings, inadvertently impacting your custom application consent policies…
Action: review your settings and processes.
From an ENow perspective, we have evangelized limiting user consent for applications in Entra for a long time.
Changing the user consent settings is typically one of the first actions we recommend and perform when cleaning up and remediating Entra tenants through our free AppGov Score and App Governance Accelerator solutions.
We believe that getting and keeping an overview of all the apps, tools, add-ins, and agents used by people in your organization starts with ‘turning off the faucet, before we start mopping the floor.’ User consent settings are the proverbial faucet here. Microsoft is now changing this setting for every organization that hasn’t looked at it yet, which is a step towards stronger security and governance.
Mopping the floor (the cleaning up of the enterprise applications that people have added to Entra while they were still able to grant consent to them), however, is a whole different story. Not to fear, because you can always ask for our help on these apps through the AppGov Score Forum.
Let’s make Entra a better place together!