Once you add a tenant, you are redirected to a page that lists the permissions that will be granted. You must click Accept and provide admin consent for the On Demand application. Once the Global Administrator adds a tenant to On Demand, an application record is created in the tenant indicating that admin consent has been provided.
To open the Tenant Consents page, click Tenants in the navigation page and click Edit Consents on the tenant tile.
You can view the specific permissions for each On Demand application by clicking View Details. You can also see the last time that consent was granted and which On Demand user granted the consent.
Following best practices for SaaS applications, On Demand applications use OAuth 2.0 and OpenId Connect protocol and authentication library for the Microsoft Identity Platform to configure and request access to protected resources in customer tenants. All On Demand applications described on the Tenant Admin Page are configured in Microsoft Entra ID as multi-tenant confidential applications (https://learn.microsoft.com/en-us/entra/identity-platform/application-model#multitenant-apps).
For some consent types, you might also have to assign a role after you grant consent.
1 |
Click Tenants in the navigation panel on the left. |
2 |
At the bottom of a tenant tile, click Edit Consents. |
3 |
If the current status is Not Granted, you can enable the module consent type for this tenant by clicking Grant Consent. |
For the following scenarios, you would click Grant Consent or Regrant Consent in the Status and Actions column.
• |
The admin consent token for the module expired, resulting in a status of Consent Required. The status of Consent Required indicates that On Demand cannot obtain a token with delegated permissions based on a previously granted admin consent. To restore the interrupted services, you must regrant consent. |
• |
A new feature in an On Demand module can require that additional permissions be granted. In this scenario, you would click Regrant Consent. For example, when On Demand implemented the new Microsoft Authentication Library (MSAL) in June 2022, admin consents had to be regranted for modules that use delegated permissions. |
• |
Admin consent has been revoked in the Microsoft Azure portal, resulting in a status of Revoked. If you revoke the Core Basic admin consent in the tenant you will see Revoked status for Core Basic and Not Available for all other modules. The Core Basic application is used to determine the consent status for your tenant. If that consent is revoked, On Demand cannot determine consent status for the rest of the modules. Consent might be granted for the modules, but On Demand cannot verify it. |
This feature provides a more secure and granular approach for accessing your data. For more information, see Permissions and consent in the Microsoft identity platform.
1 |
Install the Azure PowerShell Az module if it is not already installed. |
NOTE: You can revoke or disable consent in the Microsoft Azure Portal.
Revoking admin consent removes all permissions granted for the On Demand application.
2 |
Click on the Microsoft Entra ID icon in the left menu. |
3 |
In the Active Directory panel, select Enterprise applications. |
4 |
In the Enterprise applications panel, select All applications. |
6 |
In the Manage section of the left menu, select Properties. |
7 |
At the top of the Properties pane, select Delete, and then select Yes to confirm you want to delete the application from your Microsoft Entra tenant. |
Alternately, to disable consent, you can disable a user from signing in.
2 |
Search for and select Microsoft Entra ID. |
3 |
Select Enterprise applications. |
5 |
Select Properties. |
6 |
Select No for Enabled for users to sign-in?. |
7 |
Select Save. |
© ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center