From 69d52f633575f99856269552e11fd57c54595ef6 Mon Sep 17 00:00:00 2001 From: Ben Jenkins <140325164+Yebbenbe@users.noreply.github.com> Date: Wed, 21 May 2025 16:37:54 -0300 Subject: [PATCH] Update configure-user-consent.md - needs work 1. Added a basic intro to what MgPolicyPermissionGrantPolicies are, since there wasn't one? This IS the first article in this section, isn't it? 2. Tried to make sense of the 'PermissionGrantPoliciesAssigned' on line 80. Is this a parameter? What is this? It's not mentioned anywhere in the doc up to here, but the doc seems to think it is. Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty PermissionGrantPoliciesAssigned Select-Object : Property "PermissionGrantPoliciesAssigned" cannot be found I tried to get some clarity from various sources, inclu AI on this - but they refer back to this documentation, and it just makes them more confused. I've italicized the part where it really starts to break down - if someone can make sense of this, great. If not, I will try to find answers and fix it. --- .../identity/enterprise-apps/configure-user-consent.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/identity/enterprise-apps/configure-user-consent.md b/docs/identity/enterprise-apps/configure-user-consent.md index a72b3aa0a6c..41f33973dec 100755 --- a/docs/identity/enterprise-apps/configure-user-consent.md +++ b/docs/identity/enterprise-apps/configure-user-consent.md @@ -16,7 +16,7 @@ ms.custom: enterprise-apps zone_pivot_groups: enterprise-apps-minus-legacy-powershell -#customer intent: As an IT admin, I want to configure user consent settings for applications, so that I can control the level of access users have to my organization's data and reduce the risk of malicious applications. +#customer intent: As an IT admin, I want to configure user consent settings for applications, so that I can control the level of access users have to my organization's data and reduce the risk of malicious applications. I also want documentation written for users, not the developers. --- # Configure how users consent to applications @@ -69,9 +69,15 @@ Connect to Microsoft Graph PowerShell using the least-privilege permission neede Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" ``` +### List the current permission grant policies +```powershell +Get-MgPolicyPermissionGrantPolicy | fl +``` +Will list your current permission grant policies. These policies determine what permissions can be granted to applications and under what circumstances. Each policy 'includes' certain conditions, but 'excludes' others. When a user tries to consent to an application, the system checks the permission grant policies to see if any of them apply to the user's request. For example, the low-risk policy would allow users to consent to those permissions configured as 'low risk' - it includes these low-risk policies (as a GUID). In another scenario, a user tries to consent in a context that matches the 'AdminOnly' policy - they are unable to consent. + ### Disable user consent using Microsoft Graph PowerShell -To disable user consent, ensure that the consent policies (`PermissionGrantPoliciesAssigned`) include other current `ManagePermissionGrantsForOwnedResource.*` policies if any while updating the collection. This way, you can maintain your current configuration for user consent settings and other resource consent settings. +To disable user consent, you need to update the consent policies - without losing any configuration. *`PermissionGrantPoliciesAssigned`- include other current `ManagePermissionGrantsForOwnedResource.*` policies if any while updating the collection. This way, you can maintain your current configuration for user consent settings and other resource consent settings.* ```powershell # only exclude user consent policy