User and admin consent
Controls whether an application can receive delegated or application permissions and who is authorized to approve the requested scope.
Microsoft 365 privileged access governance
Control application consent, enterprise app permissions, partner GDAP relationships, administrator approval powers, Microsoft support data-access requests, monitoring, expiration, and revocation as separate access paths with one evidence standard.
Governance objective
An OAuth consent grant, an enterprise application assignment, a partner’s GDAP relationship, an administrator role, and a Microsoft Customer Lockbox request are not interchangeable. They use different identities, approval mechanisms, scopes, time limits, logs, and revocation methods. Each needs a named owner and a reproducible decision record.
Controls whether an application can receive delegated or application permissions and who is authorized to approve the requested scope.
Controls the service principal, permissions, assignments, owners, sign-in behavior, credentials, Conditional Access exposure, and tenant lifecycle.
Controls which partner security groups receive which GDAP roles, for which customer, for how long, and whether auto-extend is justified.
Controls who can configure the workflow, review requests, grant consent, manage applications, create support requests, or approve data access.
Customer Lockbox can require an organizational approval before a Microsoft engineer receives time-limited access to supported customer content.
Audit evidence must show grants, changes, sign-ins, service-principal activity, partner relationships, approvals, expirations, denials, and revocation.
Access decision matrix
| Access path | Principal and scope | Approval questions | Evidence and removal |
|---|---|---|---|
| Delegated OAuth permission | The app acts on behalf of a signed-in user and is constrained by both the granted permission and that user’s effective access. | Is user presence required? Is the scope necessary? Can user consent be limited to low-risk permissions and verified publishers? | Consent grant, app/publisher, scope, users, owner, sign-in evidence; revoke delegated grants and invalidate relevant sessions/tokens when required. |
| Application permission | The app acts as itself without a signed-in user and can operate across the tenant resources allowed by the permission. | Why is unattended access necessary? Is resource-specific scoping available? Who protects credentials/certificates and monitors use? | App role grants, credential inventory, resource restriction, owner, workload logs; remove app role assignment/credential or disable/delete the service principal. |
| Enterprise app assignment | Users/groups are assigned to use an enterprise application; assignment does not by itself replace permission review. | Is assignment required? Are owners active? Is access conditional, licensed, and periodically reviewed? | Assignments, owners, sign-ins, Conditional Access, provisioning state; unassign, disable sign-in, remove provisioning, or retire the service principal. |
| GDAP relationship | Partner users inherit approved customer roles through partner security-group access assignments. | Are roles least privilege and task-specific? Is duration appropriate? Is auto-extend justified? Are partner memberships controlled? | Relationship, roles, groups, users, duration, customer approval, access-assignment evidence; remove roles, terminate relationship, or remove partner users from groups. |
| Customer Lockbox | A Microsoft engineer receives approved, temporary access to customer content for a specific support request. | Does the service request require content access? Is the request number valid? Are scope, reason, and timing acceptable? | Request, approver, decision, service request, duration, email/history, audit records; deny or allow the approved period to expire. |
Admin consent workflow
Eight-stage review
Do not approve from the permission prompt alone. Use the app details, requested-by context, enterprise application record, publisher information, requested permissions, data path, authentication design, and business owner.
Capture application ID, service principal ID, tenant, publisher, verified-publisher status, requester, business owner, and support owner.
Separate delegated permissions, application permissions, role assignments, resource-specific consent, and other access methods.
Map each permission to a documented feature and data flow. Reject “required by vendor” as the only rationale.
Remove unused scopes, prefer delegated or resource-specific access where appropriate, restrict assignments, and limit credentials.
Review publisher/domain, privacy/security terms, data location, retention, subprocessors, incident notification, and removal support.
Use the correct privileged role, record the approver, grant only the reviewed scope, and avoid unrelated changes.
Review sign-ins, service-principal activity, consent/app-role changes, credentials, assignments, risky behavior, and owner status.
At the review date, validate use and permissions again or revoke grants, disable access, remove credentials, and close dependencies.
Partner support access
Microsoft support data access
Monitoring and removal
Common failure modes
An administrator approves from the consent prompt without reviewing publisher, business owner, data flow, application permissions, or revocation design.
Unattended app-only access is underestimated because reviewers assume the signed-in user’s permissions constrain it.
A person is added as a workflow reviewer but lacks—or is over-granted—the role required for the requested permission.
Owners leave, credentials remain, sign-in activity is poorly understood, and no business team accepts removal risk.
GDAP requests many roles “just in case,” uses long duration or auto-extend without review, and lacks partner membership evidence.
A Microsoft engineer’s Lockbox request, a CSP relationship, and an enterprise app grant are recorded as one generic vendor-access item.
The request is denied, but the requester receives no safe alternative, app owner remediation path, or decision rationale.
A grant or relationship is removed in one portal, but credentials, tokens, app assignments, or downstream sessions still work.
The organization has a one-time approval ticket but no owner attestation, activity review, expiration, exception register, or removal result.
Audit-ready evidence
Related ecosystem guides
FAQ
Delegated permissions let an app act on behalf of a signed-in user and are constrained by the user’s effective access. Application permissions let an app act as itself without a signed-in user and can support unattended tenant-wide operations, so they usually need stronger review.
No. Reviewer designation does not elevate Microsoft Entra permissions. The reviewer must already hold a role authorized to grant the requested permissions, and Microsoft documents Global Administrator approval for Microsoft Graph application-permission requests.
Denying rejects the current request but allows future requests. Blocking also prevents future requests for the same application and creates a disabled service principal in the tenant.
Microsoft documents a maximum two-year duration. Auto-extend can add six months repeatedly until disabled or terminated, but relationships containing Global Administrator cannot auto-extend.
For supported Microsoft 365 services and licensing, it lets an organization approve or deny a specific, time-limited request by a Microsoft engineer to access customer content for a support scenario. It is separate from app consent and partner GDAP.
Keep the original grant, owner and review decision, removal actions across grants/roles/assignments/credentials, token or session handling, audit events, and a validation showing that the prior access no longer succeeds.
IT Perfection helps Orange County and Southern California organizations inventory enterprise apps, improve consent workflows, scope partner support access, document Customer Lockbox decisions, monitor activity, and remove stale access.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review. Microsoft roles, licensing, portal behavior, limits, and supported workloads change; validate current Microsoft documentation and tenant behavior before implementation.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.