• Become a portal pro
• Download
• Print
• My Downloads ()

• Support
• Technical Documentation
• On Demand Global Settings Current
• On Demand Global Settings Current - User Guide

On Demand Global Settings Current - User Guide

Table of Contents  

Working with On Demand Overview of On Demand

Organizations Microsoft Entra tenants

Signing up for On Demand

Organizations and regions Signing in to On Demand

On Demand subscriptions

Managing organizations and regions

Geographic regions Multiple organizations Creating a new organization Displaying the organization ID and deployment region Switching organizations Editing organization settings

Restricting access to organizations Renaming organizations

Deleting organizations

Adding users to an organization

Users and roles

Default roles and permissions

Adding a user and assigning a role Access Control: Roles

Viewing role permissions Creating a custom role Editing a custom role Assigning a role to a user Deleting a custom role

Access Control: Users

Adding a user to your organization and assigning a role Editing user roles Removing a user from the organization

Inviting users to join an On Demand organization

Managing your Microsoft Entra tenants and on-premises domains

Tenants overview Adding tenants

GCC and GCC High tenants Prerequisites for adding tenants

Displaying a tenant name change

Managing admin consent permissions

About admin consent status Granting and regranting admin consent About the Status and Actions column About the Microsoft Authentication Library (MSAL) Prerequisite for Self Service License Reporting access About revoking admin consent

Removing a tenant Managing your on-premises domains On-premises agent prerequisites On-premises agent supported operating systems On-premises agent system configuration requirements On-premises agent endpoint requirements Adding an on-premises agent

Installing the agent using the command shell

Configuring an agent Editing an agent configuration Automatic updates for on-premises agents Removing an agent Adding an Active Directory domain

Editing a domain configuration

Removing a domain

On Demand Home page

Masthead

Masthead drop-down menu Information window On Demand Status page

Side navigation panel Dashboard

Tenant filter Needs your attention! Module tiles

Configuring settings

Organization Access Control Subscriptions

Subscription details Managing subscriptions

Sharing a subscription Stop using a shared subscription Changing Owner When Moving from Trial to Paid Subscription

Subscription expiry

Stage 1: Your subscription expires in X days Stage 2: Subscription expired. Access denied. Stage 3: Subscription expired. Service disabled. Stage 4: Subscription expired. Data deleted.

Activity trail Notifications

Documentation roadmap

Global settings

Release Notes

More resources

Technical Support

Current operational status Contact support Module product support pages Information and discussion: Quest community forums

• Viewing Topics 41 - 44 of 96

×

About admin consent status

On the Tenant Consents page, you can view admin consent status for various applications used by On Demand modules for each tenant that you have added. The process of granting access to the customer Microsoft Entra tenant by the tenant global administrator is referred to as admin consent. A Microsoft Entra tenant global administrator must provide consent to any application listed on the page. Each application on this page defines the set of permissions required to provide a specific module functionality.

When a tenant is first added, the user is requested to grant admin consent for the Basic application. Other modules require a higher level of permissions.

Following best practices for SaaS applications, On Demand applications use OAuth 2.0 and OpenId Connect protocol and authentication library for the Microsoft Identity Platform to configure and request access to protected resources in customer tenants. All On Demand applications described on the Tenant Admin Page are configured in Microsoft Entra ID as multi-tenant confidential applications (https://learn.microsoft.com/en-us/entra/identity-platform/application-model#multitenant-apps).

Some On Demand modules require that a role be assigned to the service principal in addition to admin consent grant. The role is needed to support specific module functionality. For example, after granting consent for the Exchange Online PowerShell consent type, you must assign the Exchange Admin Role. This role is needed to perform Exchange tasks such as linking mailboxes to users and deleting mail-enabled groups.

Granting and regranting admin consent

You must grant specific admin consents for each On Demand tenant. For example, if you grant access for MyCompany tenant in organization A, and add the MyCompany tenant to organization B, you must grant consent for organization B. In some situations, you might have to regrant consent for an application used by your tenant.

For some consent types, you might also have to assign a role after you grant consent.

To grant admin consent for a tenant

1	Click Tenants in the navigation panel on the left.

2	At the bottom of a tenant tile, click Edit Consents.

The Tenant Consents page for the tenant opens.

In the Status and Actions column, the status information indicates whether admin consent has been granted for the module consent type.

3	If the current status is Not Granted, you can enable the module consent type for this tenant by clicking Grant Consent.

If the current status is Regrant Consent, a change in the required permissions or new functionality might mean that you must regrant consent for a previously granted consent.

4	For the Exchange Online PowerShell consent type, the Exchange Admin Role must be assigned. After you grant consent for Exchange Online PowerShell, click Assign Role.

 

NOTE: If you assign a role and immediately refresh the page, the Assignment state might be displayed as "Not Assigned" for a short time until you refresh the page again.

 

5	To view the permissions that are granted for each consent type, click View Details.

 

NOTE: If additional admin consent permissions are required to perform specific tasks within a module, these consent types are listed below the core or basic consent type for the module.

About the Status and Actions column

For the following scenarios, you would click Grant Consent or Regrant Consent in the Status and Actions column.

•

The admin consent token for the module expired, resulting in a status of Consent Required. The status of Consent Required indicates that On Demand cannot obtain a token with delegated permissions based on a previously granted admin consent. To restore the interrupted services, you must regrant consent.

The Consent Required status can be caused if the Microsoft Entra ID Global Administrator account used to grant consent has been changed such as: password change, user role change in the organization, user account was disabled or removed, or all tokens were invalidated for a tenant after a tenant policy update.

•

A new feature in an On Demand module can require that additional permissions be granted. In this scenario, you would click Regrant Consent. For example, when On Demand implemented the new Microsoft Authentication Library (MSAL) in June 2022, admin consents had to be regranted for modules that use delegated permissions.

The following On Demand application registrations use delegated permissions:

•	Quest On Demand - Recovery - Basic

•	Quest On Demand - Recovery - Restore

•	Quest On Demand - Migration - Teams

•	Quest On Demand - License Management - Self Service License Reporting

For more information, see About the Microsoft Authentication Library (MSAL) .

•

Admin consent has been revoked in the Microsoft Azure portal, resulting in a status of Revoked. If you revoke the Core Basic admin consent in the tenant you will see Revoked status for Core Basic and Not Available for all other modules. The Core Basic application is used to determine the consent status for your tenant. If that consent is revoked, On Demand cannot determine consent status for the rest of the modules. Consent might be granted for the modules, but On Demand cannot verify it.

For this reason, it is strongly recommended that you do not revoke Core Basic consent.

About the Microsoft Authentication Library (MSAL)

The Microsoft Authentication Library (MSAL) provides improved security, is resilient, and allows tokens to be generated with a very granular scope. Since MSAL supports generated tokens with a granular scope, On Demand can use tokens with a narrowed scope when accessing your tenant.

This feature provides a more secure and granular approach for accessing your data. For more information, see Permissions and consent in the Microsoft identity platform.

•  Previous
• Viewing Topics 41 - 44 of 96
• Next 

Search this document Search all documents

×

 Welcome to Quest Support

You can find online support help for Quest *product* on an affiliate support site. Click continue to be directed to the correct support content and assistance for *product*.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center