Share via

Graph Explorer: Allowing users to self -consent when admin consent is not required

Chris LeMay 45 Reputation points
2025-12-03T20:24:36.9866667+00:00

Hello!

I had what is hopefully a quick question about Microsoft Graph permissions that I was hoping someone could help with. Please let me know if there were more appropriate tags to use for this question, this seemed to be the only "Microsoft Graph" category.

Question:

What settings need to be configured in a tenant to allow users to self-consent to Microsoft Graph permissions that do not require additional admin consent?

For example, currently if I try and consent to the "Team.ReadBasic.All" permission in the Graph Explorer, which does not require admin consent, I get the following message:

User's image

User's image

It looks like we may need to enable the ability for users to self-consent to Graph API permissions even if those permissions do not require admin approval? However, I was not sure where this was done. It seems like it may be one of these options.

Option 1:

When I look up the Graph Explorer app registration in Microsoft Azure under enterprise applications, there is a "Grant admin consent to tenant" button. I was not sure if this needed to be activated, I was wary that doing so would give too much access. It seems like it might give the maximum graph API permissions to the app registration. We would not want to do that, as we just want to allow users to self-consent for permissions that don't require admin approval.

User's image

Option 2:

It also looked like in the enterprise applications section of Azure; we would be able to change the "User Consent Settings". If we update this from "Do not allow user consent" to "Allow user consent for apps from verified publishers, for selected permissions" OR "Let Microsoft manage your consent settings (Recommended)". Would that allow users to self-consent to permissions in the Graph Explorer?

User's image

If option 2 is the solution, is it possible to only allow a subset of users to have the self-consent option? Would we want to limit the graph explorer app to only certain users? Also please let me know if we should be looking at settings elsewhere in our tenant. Any information would be much appreciated. Thank you for your time.

Chris

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
    2025-12-03T20:34:51.14+00:00

    Yea dont let users self consent risky perms so use those settings in option 2, and decide which one is best for your org ( last one recommended by Microsoft of course) . You cant scope to specific users but choose the best option for you and consider leveraging a workflow:

    https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow

    Dont get hung up on Graph Explorer, thats just another "client" so to speak :) and your focus should be on how you want to handle ANY consent request choosing one of those options.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.