configure-user-consent-groups.md

title	description	services	author	manager	ms.service	ms.subservice	ms.workload	ms.topic	ms.date	ms.author	ms.reviewer	ms.custom
Configure group owner consent to apps accessing group data using Azure AD	Learn manage whether group and team owners can consent to applications that will have access to the group or team's data.	active-directory	davidmu1	CelesteDG	active-directory	app-mgmt	identity	how-to	05/19/2020	davidmu	arvindh, luleon, phsignor	contperf-fy21q2

Configure group owner consent to apps accessing group data

Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. For example, a team owner in Microsoft Teams can allow an app to read all Teams messages in the team, or list the basic profile of a group's members. See Resource-specific consent in Microsoft Teams to learn more.

Manage group owner consent to apps

You can configure which users are allowed to consent to apps accessing their groups' or teams' data, or you can disable this for all users.

Portal

Follow these steps to manage group owner consent to apps accessing group data:

1. Sign in to the Azure portal as a Global Administrator.
2. Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
3. Under Group owner consent for apps accessing data select the option you'd like to enable.
4. Select Save to save your settings.

In this example, all group owners are allowed to consent to apps accessing their groups' data:

:::image type="content" source="media/configure-user-consent-groups/group-owner-consent.png" alt-text="Group owner consent settings":::

PowerShell

You can use the Azure AD PowerShell Preview module, AzureADPreview, to enable or disable group owners' ability to consent to applications accessing your organization's data for the groups they own.

1. Make sure you're using the AzureADPreview module. This step is important if you have installed both the AzureAD module and the AzureADPreview module).

   Remove-Module AzureAD
   Import-Module AzureADPreview

2. Connect to Azure AD PowerShell.

   Connect-AzureAD

3. Retrieve the current value for the Consent Policy Settings directory settings in your tenant. This requires checking if the directory settings for this feature have been created, and if not, using the values from the corresponding directory settings template.

   $consentSettingsTemplateId = "dffd5d46-495d-40a9-8e21-954ff55e198a" # Consent Policy Settings
   $settings = Get-AzureADDirectorySetting -All $true | Where-Object { $_.TemplateId -eq $consentSettingsTemplateId }
   
   if (-not $settings) {
       $template = Get-AzureADDirectorySettingTemplate -Id $consentSettingsTemplateId
       $settings = $template.CreateDirectorySetting()
   }
   
   $enabledValue = $settings.Values | ? { $_.Name -eq "EnableGroupSpecificConsent" }
   $limitedToValue = $settings.Values | ? { $_.Name -eq "ConstrainGroupSpecificConsentToMembersOfGroupId" }

4. Understand the setting values. There are two settings values that define which users would be able to allow an app to access their group's data:

   Setting	Type	Description
   EnableGroupSpecificConsent	Boolean	Flag indicating if groups owners are allowed to grant group-specific permissions.
   ConstrainGroupSpecificConsentToMembersOfGroupId	Guid	If EnableGroupSpecificConsent is set to "True" and this value set to a group's object ID, members of the identified group will be authorized to grant group-specific permissions to the groups they own.

5. Update settings values for the desired configuration:

   # Disable group-specific consent entirely
   $enabledValue.Value = "False"
   $limitedToValue.Value = ""

   # Enable group-specific consent for all users
   $enabledValue.Value = "True"
   $limitedToValue.Value = ""

   # Enable group-specific consent for users in a given group
   $enabledValue.Value = "True"
   $limitedToValue.Value = "{group-object-id}"

6. Save your settings.

   if ($settings.Id) {
       # Update an existing directory settings
       Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
   } else {
       # Create a new directory settings to override the default setting 
       New-AzureADDirectorySetting -DirectorySetting $settings
   }

---

Note

"User can consent to apps accessing company data on their behalf" setting, when turned off, does not disable the "Users can consent to apps accessing company data for groups they own" option

Next steps

To learn more:

• Configure user consent settings
• Configure the admin consent workflow
• Learn how to manage consent to applications and evaluate consent requests
• Grant tenant-wide admin consent to an application
• Permissions and consent in the Microsoft identity platform

To get help or find answers to your questions:

• Azure AD on Microsoft Q&A