Table of Contents
Use PowerShell to Find and Report Details of Admin Consent Requests
Dinesh asked “How can I generate a report of Admin Consent Requests received by Entra ID? I’m specifically looking for information such as who sent the consent request, which application was involved, what API permissions the application requested, and how many users have already requested the consent.”
I was busy and didn’t pay too much attention to the question apart from offering some suggestions about using Fiddler (or even Graph X-Ray) to see what requests the Entra ID admin center generated. Like in many situations with Microsoft 365, the key to starting a PowerShell script is to find out what cmdlet to fetch information with.
In any case, I was delighted when Dinesh reported that he had found the necessary cmdlet (Get-MgIdentityGovernanceAppConsentRequest from the Microsoft Graph PowerShell SDK) to answer his question. It’s always great (and far too rare) when someone who asks a question goes ahead to do the necessary research to answer their own question.
Workflow for Admin Consent Requests
Administrator consent requests are an Entra ID workflow to allow users to request administrators to grant consent for enterprise applications that they want to use. You do not want end users to grant consent for applications to access data, but you also don’t want to get in the way of people doing real work. The answer is to enable the workflow to permit users to submit requests for administrator approval.
When the workflow is active, when users attempt to use an enterprise application with permissions that are not yet approved, Entra ID prompts the user to request approval. Figure 1 shows what happens when a user attempts to sign into the Microsoft Technical Community.
The first time this happens in a tenant, the application attempts to create a service principal as its representation in the tenant. This cannot happen until consent is gained for the permissions it needs. In this case, the user cannot grant consent, so Entra ID routes the request to the users identified as approvers. Requests arrive via email (Figure 2). The user who generates the request also receives email notification that their request is under review.
Oddly, the request email shows the alternative email address for the requestor instead of their primary SMTP address. This might be a glitch. In any case, when the reviewer opens the request in the Entra ID admin center, they see details of the application (Figure 3). To approve the request, they must sign in to see the requested permissions and proceed to give or refuse consent.
The user who generates a request receives an email notification to tell them about the reviewer’s decision. Overall, it’s a simple but effective workflow.
The Code
Dinesh’s code works and is a good example of extracting and processing Entra ID information. I reworked it a little to add a check for high-profile permissions that should draw additional attention from administrators. These permissions include the ability to read everything from the directory, access all users, groups, sites, and so on. The data returned for consent requests includes some user details (user principal name and identifier). I added a call to Get-MgUser to retrieve other details that might be useful such as their department, job title, and country.
You can download the script from GitHub. Normal caveats apply – better error checking and formatting of the output would be beneficial. Nevertheless, the code proves the principles involved in using PowerShell to retrieve and process admin consent requests.
The Power of Community
I receive many requests for assistance, some of which are along the lines of “please write a script for me.” I ignore these requests because I am not in the business of doing work that other people should do for themselves. It’s always better when someone works out how to accomplish a task using their own brainpower, just like Dinesh did.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.
Hi Tony,
I am ecstatic to see that you have written an article about the Azure AD (EntraID) Admin Consent requests and have mentioned my name in it. It is an honour to receive recognition from a well-respected MVP who is known worldwide. This is the best Christmas gift I could ask for, and I am truly grateful. Thank you so much.
No worries. You did a great job.
Hi! The link to the script goes to file edit form, resulting in error (when I do not have edit permission for the repo).
You should be able to get to it at https://github.com/12Knocksinna/Office365itpros/edit/master/Report-PermissionConsentRequests.PS1…. No one else has complained!
I was also prompted to sign in to GitHut when I tried Tony’s link. However, this link does work: https://github.com/12Knocksinna/Office365itpros/blob/master/FindAppConsentGrants.PS1 .
Sorry.. this links works: https://github.com/12Knocksinna/Office365itpros/blob/master/Report-PermissionConsentRequests.PS1
Another great post! Thanks Tony (and Dinesh).
I did notice one tiny typo in the script:
ForEach ($ConsentRequest in $ConsentRequest) {
should be:
ForEach ($ConsentRequest in $ConsentRequests) {
Rats. I hadn’t committed a change. I have now!
Hi Tony,
I see one serious downside of the workflow no matter if you are using GUI or PowerShell script described in the article:
Consent requests do not show particular permissions that are required by the App. You can only see some basic information.
I would expect to see all required permissions before I consent them. Is it possible to pull this info? What is the best practice on this?
Regards,
Marcin
OK, from GUI permissions are actually visible once you choose “Review permissions and consent” but not sure how to pull these via PowerShell?