In today’s cloud-first world, small and medium-sized businesses (SMBs) face growing risks from third-party applications that request access to sensitive company data. Attackers often exploit user consent to gain unauthorized access through malicious apps. Fortunately, Microsoft Entra provides powerful tools to help you take control.

This guide walks you through how to audit existing app consents, disable risky user consent, and enable the Admin Consent Workflow to ensure only approved apps can access your organization’s data.

🔍 Step 1: Audit Existing App Consents

Before making changes, it’s critical to understand which apps already have access.

1. Go to Microsoft Entra Admin Center

2. Navigate to: Entra ID > Enterprise Applications

3. Under Manage, select All applications

4. Review the list of apps and their granted permissions

This gives you visibility into what’s already approved and helps identify any risky or unnecessary apps.

To review permissions granted to applications:

1. Sign in as at least a Cloud Application Administrator

2. Go to: Enterprise apps > All applications

3. Select the application you want to restrict

4. Click Permissions

5. Use the Admin consent tab to view organization-wide permissions

6. Use the User consent tab to view permissions granted to specific users or groups

7. Click on any permission to open the Permission Details pane

8. From there, you can revoke permissions granted by admins for your entire organization

To revoke permissions in the Admin consent tab:

1. View the list of permissions in the Admin consent tab.

2. Choose the permission you would like to revoke, then select the ... control for that permission.

To revoke user consent permissions, you’ll need to use Microsoft Graph API or PowerShell, as the portal does not support revoking user-level consents directly. Refer to Microsoft’s official guide here: Review and revoke permissions granted to enterprise applications.

🚫 Step 2: Disable User Consent to Apps

To prevent future unauthorized access:

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

2. Click to expand Entra ID > Enterprise apps.

3. Under Security select Consent and permissions > User consent settings.

4. Under User consent for applications select Do not allow user consent.

5. Click the Save option at the top of the window.

Why This Matters:

Disabling user consent ensures that employees can’t unknowingly grant access to apps that could compromise your data. Existing consents remain active, but all new requests must go through an admin.

✅ Step 3: Enable the Admin Consent Workflow

Now, let’s activate the Admin Consent Workflow so users can request access securely.

1. In the Entra Admin Center, go to: Enterprise Apps

2. Under Security, select Consent and permissions

3. Click Admin consent settings

4. Set: Users can request admin consent to apps they are unable to consent to → Yes

5. Assign reviewers (Global Admin, Cloud App Admin, or Application Admin)

Why This Matters:

This workflow ensures that app access is reviewed by trusted admins. Users can still request access, but nothing gets approved without oversight.

🔐 Benefits for SMBs

• Reduces attack surface by blocking risky app access

• Improves compliance with CIS benchmarks and Microsoft best practices

• Empowers IT admins to control data access without slowing down productivity

🛡️ About PlexHosted LLC

At PlexHosted, we specialize in helping SMBs enhance their security and compliance posture in Microsoft 365. From configuring secure access policies to implementing CIS-aligned controls, our team ensures your cloud environment is protected and optimized.

Need help securing your Microsoft 365 tenant? Let PlexHosted guide your journey to a safer, more compliant cloud.