Logo Interian
Driek Desmet | Securing Insights

Microsoft Entra Consent Changes Coming July 2025: A Guide for Admins

by

Driek Desmet
in ,

Microsoft Entra ID is introducing major changes to its app consent settings starting 16 July 2025, and IT admins need to actnow to avoid disruptions. These updates will make your organisation’s data more secure but could affect how users access apps. We’ve broken it down into a clear guide to help you prepare, with key dates and steps to stay ahead. Let’s get started!

Driek Desmet | Securing Insights

What’s Changing on 16 July 2025?

Microsoft Entra ID, formerly Azure Active Directory, controls how apps request permissions to access user or company data. From 16 July 2025, Microsoft is rolling out a more secure default consent policy:

  • Microsoft-Managed Consent Policy: Users will no longer be able to approve third-party apps requesting high-risk permissions, such as Files.* or Sites.* (e.g., access to OneDrive or SharePoint). Only admins can grant these permissions.
  • Automatic Migration for Legacy Tenants: If your tenant is still on the legacy “allow user consent for all apps” setting, it will be automatically switched to Microsoft’s recommended policy, which allows user consent only for verified publishers and low-risk permissions (e.g., User.Read, profile).
  • Clearer Permission Prompts: Users and admins will see more detailed information about what an app is requesting, making decisions easier.

This shift to a “Secure by Default” approach aims to reduce the risk of data exposure from apps with excessive permissions. Existing app consents will remain unchanged, but new requests for high-impact permissions will need admin approval.

Other Key Dates to Note

Beyond the consent changes, mark these important Entra ID deadlines:

  • September 2025: Apps using the Azure AD Graph API will stop working for tenants with extended access. Temporary outage tests (8–24 hours) are planned between July and September 2025.
  • October 2025: The AzureAD and AzureAD-Preview PowerShell modules will be retired and stop functioning. Expect outage tests (8–24 hours) in September 2025.

Why These Changes Matter

The new consent settings bring significant benefits but also challenges:

  • Enhanced Security: Blocking user consent for high-risk permissions like Files.Read.All reduces the risk of accidental or malicious data leaks.
  • Potential User Frustration: Without proper setup, users may hit a “brick wall” error when trying to access apps, seeing a message that they’re not authorised and no clear next steps. This could lead to support tickets or shadow IT workarounds.
  • Compliance Alignment: The changes support regulations like GDPR by ensuring tighter control over data access.
  • Increased Admin Workload: More apps requiring admin approval could slow down workflows if not managed efficiently.

Are You Impacted?

If you haven’t customised your Entra ID consent settings, you’re likely on the legacy default (“allow user consent for all apps”) and will be migrated to the Microsoft-managed policy. To check, use the Microsoft Graph API:

GET https://graph.microsoft.com/v1.0/policies/authorizationPolicy

Look under permissionGrantPoliciesAssigned to defaultUserRolePermissions to check if it’s set to microsoft-user-default-legacy.


{
    "id": "authorizationPolicy",
    "allowInvitesFrom": "everyone",
    "allowedToSignUpEmailBasedSubscriptions": true,
    "allowedToUseSSPR": true,
    "allowEmailVerifiedUsersToJoinOrganization": false,
    "allowUserConsentForRiskyApps": null,
    "blockMsolPowerShell": false,
    "displayName": "Authorization Policy",
    "description": "Used to manage authorization related settings across the company.",
    "guestUserRoleId": "10dae51f-b6af-4016-8d66-8c2a99b929b3",
    "defaultUserRolePermissions": {
        "allowedToCreateApps": true,
        "allowedToCreateSecurityGroups": true,
        "allowedToCreateTenants": true,
        "allowedToReadBitlockerKeysForOwnedDevice": true,
        "allowedToReadOtherUsers": true,
        "permissionGrantPoliciesAssigned": [
            "ManagePermissionGrantsForSelf.microsoft-user-default-legacy",
            "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team",
            "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat"
        ]
    }
}

How to Prepare

To avoid disruptions by 16 July 2025, take these steps now:

  1. Audit Existing App Consents:
    • Use the Microsoft Entra admin centre to review all apps and their permissions.
    • Check for apps with high-risk permissions (e.g., Files.*, Sites.*) and assess if they’re still needed.
    • Consider removing or replacing risky apps with safer alternatives.
  2. Enable Admin Consent Workflow:
    • Turn on the Admin Consent Workflow in Entra ID to manage blocked user requests. This lets users submit a justification for app access, which admins can review and approve via the Entra portal or email notifications.
    • Without this, users will face the “brick wall” error, leading to frustration.
  3. Update Consent Policies:
    • Choose a policy that suits your needs:
      • Allow user consent for all apps (legacy, not recommended): High risk but flexible.
      • Do not allow user consent: Secure but may cause delays without the Admin Consent Workflow.
      • Allow user consent for verified publishers/low-risk permissions (Microsoft-recommended): Balances security and usability.
    • Configure settings in the Entra admin centre to avoid the automatic migration.
  4. Train Your Team:
    • Educate users about the new consent process to reduce confusion and support requests.
    • Warn against bypassing security prompts or using unverified apps.
  5. Leverage Automation:
    • Use tools like Microsoft Defender for Cloud Apps to monitor permissions and streamline consent reviews.
    • Set up automated workflows to handle requests efficiently.
  6. Test and Monitor:
    • Test the new consent settings and Admin Consent Workflow in a sandbox environment.
    • Monitor consent logs after 16 July 2025 to catch issues early.

Potential Challenges

The stricter settings may disrupt workflows if users rely on apps that now require admin approval. Without the Admin Consent Workflow, the “brick wall” experience could frustrate users and increase support tickets. Custom or third-party apps might also need updates to align with the new policy, so check with vendors early.

Act Now to Stay Ahead

The July 2025 Entra ID consent changes are a big step toward a safer environment, but preparation is key to avoiding disruptions. Start auditing consents, enabling workflows, and training your team today. For more details, visit Microsoft’s official documentation..