AZ-500 Microsoft Azure Security Technologies Exam

Manage OAuth Consent and Permission Grants

Enterprise applications in Microsoft Entra ID rely on OAuth permission grants to control how apps access data. There are two main types of permissions: delegated permissions, where an app acts on behalf of a signed-in user, and application permissions, where the app runs with its own identity. Understanding this difference is crucial to enforce the right level of access and maintain security. Delegated permissions can be granted by users or administrators, while application permissions always require an admin to consent.

Administrators can configure how user consent and admin consent work for enterprise applications through detailed consent policies. These policies help enforce least-privilege by limiting which scopes users can approve. Key settings include:

• User consent settings: decide when users can grant permissions to apps
• Admin consent workflow: require admin approval for high-risk permissions
• Tenant-wide admin consent: allow admins to grant all users access to an app in one action

You can audit granted permissions using Azure AD activity logs and the Microsoft Graph API. To see delegated permissions, query the oauth2PermissionGrants endpoint on a service principal. To review application permissions, check the appRoleAssignments endpoint. These logs highlight which apps and users have consented to which scopes, making it easier to spot over-privileged access.

When an application or user no longer needs a permission, administrators can revoke consent to stop access immediately. Using the Microsoft Entra admin center or the Microsoft Graph API, you can:

• Delete a delegated permission grant with DELETE /oauth2PermissionGrants/{grant-id}
• Remove an application permission with DELETE /servicePrincipals/{id}/appRoleAssignedTo/{assignment-id}
  After revocation, apps cannot use the old grant, and dynamic consent settings should be locked down to prevent re-consent. Implementing permission grant policies and regular access reviews ensures that only necessary permissions remain granted and helps maintain a secure environment.

Conclusion

In this section, we explored how to manage OAuth consent and permission grants for enterprise applications in Microsoft Entra ID. We learned to differentiate between delegated and application permissions and the importance of enabling least-privilege. We also covered how to configure user and admin consent settings, audit granted permissions with logs and APIs, and revoke consent when needed. By combining permission grant policies with access reviews, organizations can keep their app permissions tight and aligned with security best practices.