Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
1.3.4. OAuth Permission Grants and Consent
💡 First Principle: Consent is the process by which users or administrators approve an application's access to resources. Without consent, applications cannot access data even if they have requested permissions.
Scenario: A new application requests permission to read all users' calendars. You need to understand who can consent and how to review existing consents.
Consent Types
| Type | Who Consents | When Used |
|---|---|---|
| User consent | Individual user | Delegated permissions, user-level data |
| Admin consent | Administrator | Application permissions, tenant-wide access |
Controlling Consent
- Users can consent to apps: Allow/restrict user consent
- Users can register applications: Allow/restrict app creation
- Admin consent workflow: Users request, admins approve
Restricting Application Consent:
- Set "Users can register applications" to No
- Assign Application Developer role to selected users
- This ensures only authorized users can register apps and manage consents
⚠️ Common Pitfall: Allowing unrestricted user consent. Malicious applications can trick users into granting excessive permissions. Implement admin consent workflows for sensitive permissions.
Reflection Question: Your organization discovers that an unauthorized application has been granted access to read all users' emails through user consent. How would you prevent this in the future?