Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
2.3.4. OAuth Permission Grants and Consent
💡 First Principle: Consent is the process by which users or administrators approve an application's access to resources. Without consent, applications cannot access data even if they have requested permissions.
Scenario: A new application requests permission to read all users' calendars. You need to understand who can consent and how to review existing consents.
Consent Types
| Type | Who Consents | When Used |
|---|---|---|
| User consent | Individual user | Delegated permissions, user-level data |
| Admin consent | Administrator | Application permissions, tenant-wide access |
Controlling Consent
- Users can consent to apps: Allow/restrict user consent
- Users can register applications: Allow/restrict app creation
- Admin consent workflow: Users request, admins approve
Restricting Application Consent:
- Set "Users can register applications" to No
- Assign Application Developer role to selected users
- This ensures only authorized users can register apps and manage consents
⚠️ Exam Trap: Allowing unrestricted user consent. Malicious applications can trick users into granting excessive permissions. Implement admin consent workflows for sensitive permissions.
Reflection Question: Your organization discovers that an unauthorized application has been granted access to read all users' emails through user consent. How would you prevent this in the future?
Written byAlvin Varughese
Founder•15 professional certifications