App Consent Policy

An app consent policy in Microsoft Entra ID controls which OAuth permissions users can consent to grant to applications during sign-in. By default, users can consent to broad Microsoft Graph permissions (read mail, calendar, files) without admin involvement — which is a vector for consent phishing attacks. App consent policies restrict user consent to low-risk permissions; the rest require admin consent. Three built-in policies: microsoft-user-default-low (very restrictive), microsoft-user-default-recommended (the recommended baseline), and microsoft-user-default-legacy (the historical permissive default). Configured in Entra admin centre → Enterprise applications → Consent and permissions. Combined with admin consent workflow (users request consent, admins approve), provides strong protection against malicious OAuth apps.