Knowledge base

November 02, 2025

App Consent – Smart Security with Entra

Imagine this: an employee clicks “allow” on an app that looks like Teams or Outlook … but it’s actually a fake. That’s how consent phishing works – no stealing passwords, just asking nicely for access.

Fortunately, Microsoft Entra ID now offers powerful ways to mitigate this risk. Instead of letting just anyone approve apps, you can now set it up so that only administrators can make that choice. Or even better, you let users submit a request through an approval process. That’s called the Admin Consent Workflow.

Dark Web Monitoring – Proactively Protect Your Business

Why this is important

Open app consent is an open door for hackers. You are relying on every employee to know exactly what is safe – and that is not realistic.

With an admin workflow, you, the IT manager, regain control:

Users can make requests for apps
You or a security team approves or disapproves
Only verified, legitimate apps get access to data like mail, OneDrive or Teams

Here’s how it works in a nutshell

🔒 Limit who can approve apps
Set it to “Verified publishers only” or “Admins only” in the Entra Admin Center.
✅ Turn on Admin Consent Workflow
Users request access, you get a notification and determine who gets access.
🚦 Classify permissions
Assign risk levels to app permissions: low, medium, high. That way you know exactly which apps can do what.
👥 Limit approval to a specific group
For example, only members of “App Consent Approvers” may approve apps.
📊 Monitor everything in the audit logs
Check regularly which apps were granted access and who approved it.
🔐 Link MFA to app use
Add additional security via Conditional Access: only MFA allows an app to log in.

Hidden risks: ChatGPT, Gmail and other ‘harmless’ apps

More and more employees are using smart tools like ChatGPT, Gmail extensions or project management apps like Trello. Convenient? Definitely. Secure? Not always.

The real problem: These apps often request access to Microsoft 365 data, such as:

Your Outlook mailbox 📬
OneDrive documents 📁
Teams talks 💬

And if an unsupervised employee clicks “Allow”? Then your organization is AVG compliance at risk.

By combining Microsoft Entra ID’s Admin Consent Workflow with:

🎯 Specific risk ratings by authorization
👥 Restrict permission to an approved group
🔍 Audit logs that track everything

… make sure all apps – including ChatGPT, Gmail add-ons, AI plugins and other third-party tools – go through a compliance check before accessing corporate data.

This is how you keep control of:
✅ Personal data
✅ Customer files
✅ Internal communications
✅ Financial info

Result: grip and peace of mind

Companies that already use it find that they:

Lower risk of data breach via third-party apps
No losing productivity
Maintain complete oversight of who approves what

And the beauty? This fits perfectly into your existing AVG/GDPR policy and helps you comply with ISO27001 and NEN7510.

Pro-tip from ALTA-ICT:

Combine this approach with awareness training for employees. Let them know why consent should not just be given. Technology + behavior = real protection.

Ready to get a grip on third-party apps such as ChatGPT, Gmail or AI tools?

Book a free 30-minute consultation with our Entra experts
alta-ict.co.uk/gratis-consultation

Want to know more?

Get in touch

img[data-role="placeholder-img"] { display: none; }

Related
blogs

img[data-role="placeholder-img"] { display: none; } Een paarse afbeelding met ISO-certificaat en checklist icoon, tekst “Leveranciersbeoordeling – Risico’s verlagen met certificering” en ALTA-ICT logo

November 03, 2025