Entra ID is Microsoft’s cloud-based identity and access management service that helps your employees to sign in and access resources such as EUM. It requires the consents, which are accepted by Users and Administrators for getting access to all the resources and data. After the signing in process, it will be determined automatically whether the user needs to be shown a consent page. There are two main types of consents:
- Static user consent, which occurs during the authorization when the users will access the content needed;
- Admin consent, which occurs right after static user consent. This type of consent requires the Customer's Microsoft 365 Global Administrator to approve the list of permissions the EUM App requires.
Accepting Consent (Pre-Consenting)
A Customer Microsoft 365 Global Administrator has to grant EUM consent allowing the EUM App to access all defined resources on behalf of each user without EUM having to ask the user for consent. Additionally, it will unblock the scenarios where the user cannot provide consent. Learn more about the access scopes supported by EUM on the dedicated Data Access page.
Why do Users Provide Consent?
Every time the App wants/needs access to specific data in Microsoft 365 for the first time it needs to ask the user for permission to access that data. For instance, if the App wants to read data from SharePoint it will have to ask the user if it is allowed to access the user's data in SharePoint. The user can agree to this by providing consent for accessing his or her data in SharePoint. This consent experience is provided by the data source; in this case, by Microsoft 365.
Why Would Administrators Want to Provide Admin Consent?
Providing Admin Consent to EUM removes the need for all users within that Microsoft 365 tenant to have to accept consent each time, and as such will be more productive by saving each and every user having to individually consent for each resource separately. It will also reduce the questions users might ask in connection to dealing with the individual consent request they will face during their interaction with EUM.
How Does an Administrator Revoke Admin Consent?
If you want to recall your Admin Consent, you can use the Entra ID portal to revoke any consent.
How do Administrators Provide Admin Consent?
When installing EUM you will be asked to provide consent during the installation process.
As an Administrator, Must I Consent to All Scopes?
In your organization you might not want to accept Admin Consent based on Microsoft-defined parameters. This Microsoft generated consent statement frequently generates this question: 'Have full control of all site collections', the current Microsoft Entra ID architecture for providing Admin Consent is restricted to one single consent flow, meaning that we as the developers of the App can only offer one Admin Consent flow for all customers. It's important to note that the consent is 'Delegated' meaning that the user who is using EUM cannot access data or manage SharePoint any more than he or she already can in SharePoint directly. In other words, although the consent states 'Have full control' it is no more than the control the user already has.
Managing Consent in Azure
Visit https://portal.azure.com > 'Enterprise Application' to verify what permissions have already been granted for the EUM App. This is also where you can revoke the permissions for the EUM App.