Chatee ahora con Soporte
Chat con el soporte

On Demand Global Settings Current - User Guide

Working with On Demand Overview of On Demand Signing up for On Demand Managing organizations and regions Adding users to an organization Managing your Microsoft Entra tenants and on-premises domains On Demand Home page Configuring settings Documentation roadmap Technical Support

Managing admin consent permissions

Once you add a tenant, you are redirected to a page that lists the permissions that will be granted. You must click Accept and provide admin consent for the On Demand application. Once the Global Administrator adds a tenant to On Demand, an application record is created in the tenant indicating that admin consent has been provided.

 
* 
NOTE: Global Admin credentials are only required to grant admin consent for the minimal list of permissions required by On Demand. Global Admin credentials are not stored, shared, or used for any other purpose.

When you first add a tenant, only the minimum permission settings are granted. Some modules require additional permissions for specific activities. Once a tenant has been added to On Demand, you can grant additional permissions on the Tenant Consents page.

To open the Tenant Consents page, click Tenants in the navigation page and click Edit Consents on the tenant tile.

You can view the specific permissions for each On Demand application by clicking View Details. You can also see the last time that consent was granted and which On Demand user granted the consent.
About admin consent status
Granting and regranting admin consent
About revoking admin consent

About admin consent status

On the Tenant Consents page, you can view admin consent status for various applications used by On Demand modules for each tenant that you have added. The process of granting access to the customer Microsoft Entra tenant by the tenant global administrator is referred to as admin consent. A Microsoft Entra tenant global administrator must provide consent to any application listed on the page. Each application on this page defines the set of permissions required to provide a specific module functionality.

When a tenant is first added, the user is requested to grant admin consent for the Basic application. Other modules require a higher level of permissions.

Following best practices for SaaS applications, On Demand applications use OAuth 2.0 and OpenId Connect protocol and authentication library for the Microsoft Identity Platform to configure and request access to protected resources in customer tenants. All On Demand applications described on the Tenant Admin Page are configured in Microsoft Entra ID as multi-tenant confidential applications (https://learn.microsoft.com/en-us/entra/identity-platform/application-model#multitenant-apps).

Some On Demand modules require that a role be assigned to the service principal in addition to admin consent grant. The role is needed to support specific module functionality. For example, after granting consent for the Exchange Online PowerShell consent type, you must assign the Exchange Admin Role. This role is needed to perform Exchange tasks such as linking mailboxes to users and deleting mail-enabled groups.

Granting and regranting admin consent

You must grant specific admin consents for each On Demand tenant. For example, if you grant access for MyCompany tenant in organization A, and add the MyCompany tenant to organization B, you must grant consent for organization B. In some situations, you might have to regrant consent for an application used by your tenant.

For some consent types, you might also have to assign a role after you grant consent.

To grant admin consent for a tenant
1
Click Tenants in the navigation panel on the left.
2
At the bottom of a tenant tile, click Edit Consents.
The Tenant Consents page for the tenant opens.
In the Status and Actions column, the status information indicates whether admin consent has been granted for the module consent type.
3
If the current status is Not Granted, you can enable the module consent type for this tenant by clicking Grant Consent.
If the current status is Regrant Consent, a change in the required permissions or new functionality might mean that you must regrant consent for a previously granted consent.
4
For the Exchange Online PowerShell consent type, the Exchange Admin Role must be assigned. After you grant consent for Exchange Online PowerShell, click Assign Role.
 
* 
NOTE: If you assign a role and immediately refresh the page, the Assignment state might be displayed as "Not Assigned" for a short time until you refresh the page again.
 
5
To view the permissions that are granted for each consent type, click View Details.
 
* 
NOTE: If additional admin consent permissions are required to perform specific tasks within a module, these consent types are listed below the core or basic consent type for the module.
About the Status and Actions column

For the following scenarios, you would click Grant Consent or Regrant Consent in the Status and Actions column.
The admin consent token for the module expired, resulting in a status of Consent Required. The status of Consent Required indicates that On Demand cannot obtain a token with delegated permissions based on a previously granted admin consent. To restore the interrupted services, you must regrant consent.
The Consent Required status can be caused if the Microsoft Entra ID Global Administrator account used to grant consent has been changed such as: password change, user role change in the organization, user account was disabled or removed, or all tokens were invalidated for a tenant after a tenant policy update.
A new feature in an On Demand module can require that additional permissions be granted. In this scenario, you would click Regrant Consent. For example, when On Demand implemented the new Microsoft Authentication Library (MSAL) in June 2022, admin consents had to be regranted for modules that use delegated permissions.
The following On Demand application registrations use delegated permissions:
Quest On Demand - Recovery - Basic
Quest On Demand - Recovery - Restore
Quest On Demand - Migration - Teams
Quest On Demand - License Management - Self Service License Reporting
For more information, see About the Microsoft Authentication Library (MSAL) .
Admin consent has been revoked in the Microsoft Azure portal, resulting in a status of Revoked. If you revoke the Core Basic admin consent in the tenant you will see Revoked status for Core Basic and Not Available for all other modules. The Core Basic application is used to determine the consent status for your tenant. If that consent is revoked, On Demand cannot determine consent status for the rest of the modules. Consent might be granted for the modules, but On Demand cannot verify it.
For this reason, it is strongly recommended that you do not revoke Core Basic consent.
About the Microsoft Authentication Library (MSAL)

The Microsoft Authentication Library (MSAL) provides improved security, is resilient, and allows tokens to be generated with a very granular scope. Since MSAL supports generated tokens with a granular scope, On Demand can use tokens with a narrowed scope when accessing your tenant.

This feature provides a more secure and granular approach for accessing your data. For more information, see Permissions and consent in the Microsoft identity platform.

Prerequisite for Self Service License Reporting access

For the License Management module, to use Self Server License Reporting, you must grant additional permissions over the Base permissions.

Sometimes, when you grant consent for Self Service License Reporting, you might see an error that indicates that the app requires access to a service that your organization has not subscribed to or enabled. This error occurs if the Microsoft M365 License Manager API, required to gather self-service policy data, is not enabled in the tenant by default. You can resolve the error by enabling the M365 License Manager API in the tenant.

To enable the M365 License Manager API
1
Install the Azure PowerShell Az module if it is not already installed.
2
Run the Connect-AzAccount cmdlet to log into your tenant using an account that has Microsoft Entra ID administrative rights.
3
Run the following command:
New-AzADServicePrincipal -ApplicationId aeb86249-8ea3-49e2-900b-54cc8e308f85

After you complete these steps, you can complete the Grant Consent for Self Service License Reporting without errors.

About revoking admin consent

Completely revoking admin consent removes all permissions granted for the On Demand application. Revoking admin consent is a manual process that must be performed in the Microsoft Azure portal.

NOTE: You can revoke or disable consent in the Microsoft Azure Portal.

Revoking admin consent in the Azure Portal

Revoking admin consent removes all permissions granted for the On Demand application.

To revoke admin consent
1
Log in to the Azure Resource Manager with the credentials for the Microsoft Entra tenant.
2
Click on the Microsoft Entra ID icon in the left menu.
3
In the Active Directory panel, select Enterprise applications.
4
In the Enterprise applications panel, select All applications.
5
Search for and select the Quest On Demand application.
6
In the Manage section of the left menu, select Properties.
7
At the top of the Properties pane, select Delete, and then select Yes to confirm you want to delete the application from your Microsoft Entra tenant.

Alternately, to disable consent, you can disable a user from signing in.

To disable a user from signing in
1
Sign in to the Azure portal as the global administrator for your directory.
2
Search for and select Microsoft Entra ID.
3
Select Enterprise applications.
4
Search for and select the Quest On Demand application.
5
Select Properties.
6
Select No for Enabled for users to sign-in?.
7
Select Save.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación