Configure Admin Consent Approval Workflow in Microsoft Entra Admin Center for Secure App Access

In this blog, we will explore how to configure the Admin Consent Approval Workflow in Microsoft Entra Admin Center to secure app access and prevent users from connecting third-party applications—such as ChatGPT—to organizational data in OneDrive or SharePoint Online. I will guide you step by step through setting up the approval workflow, ensuring that any third-party app integration with Microsoft 365 is securely managed. This workflow acts as a protective bridge, controlling how external applications authenticate with Microsoft 365 services while keeping your data safe.

Introduction

In today’s AI-driven workspace, integrating third-party applications like ChatGPT with Microsoft 365 services (OneDrive, SharePoint, etc.) is becoming common. However, allowing such integrations without oversight can expose sensitive data to security threats. To maintain control over app permissions, Microsoft Entra ID (formerly Azure AD) provides an Admin Consent Approval Workflow, enabling organizations to approve or deny app access requests efficiently.

This article will guide you through configuring the Admin Consent Approval Workflow in Microsoft Entra ID, ensuring secure and compliant access to Microsoft 365 applications.

What Is Admin Consent Approval Workflow?

The Admin Consent Approval Workflow is a security feature in Microsoft Entra ID that allows end-users to request permission for third-party applications while ensuring administrators have full control over approvals. This feature is essential for:

• Preventing unauthorized access to company resources.
• Ensuring compliance with internal security policies.
• Enhancing data protection by restricting unverified apps.

If a user tries to connect an application like ChatGPT to OneDrive, they will see a “Request Approval” button instead of direct access. Once submitted, the admin team reviews and decides whether to approve or reject the request based on security policies.

Why Should You Enable Admin Consent Approval Workflow?

• Prevent Unauthorized App Connections – Reduce the risk of unverified apps accessing Microsoft 365 data.
•  Ensure Regulatory Compliance – Maintain compliance with ISO, GDPR, HIPAA, and other security standards.
•  Enhance Data Security – Restrict applications that might misuse or leak sensitive company information.
•  Control Over App Permissions – Admins can review, approve, or deny requests before applications gain access.

Example: What happens when you don’t enable Admin Consent Approval Workflow?

In your ChatGPT, type something (for example: Get my training data from my OneDrive, then your OneDrive link), and then you will be asked to connect to your Microsoft OneDrive.

Once you click on the “Connect” button.

You will see the “permissions requested” screen with the below information:

This app would like to:

• Read your files
• Read items in all site collections
• Read all files that you have access to
• Maintain access to data you have given it access to
• Sign you in and read your profile

Then, a checkbox, Consent on behalf of your organization.

Finally, once click on the “Accept” button.

So with this setup, users can grant permission themselves, where your above-mentioned tenant information will be published to ChatGPT or any other third-party application from where you are connecting to your Microsoft 365 apps; it could be your OneDrive, SharePoint, or any apps from Microsoft 365.

This out-of-the-box setup is not recommended where you are allowing your organization’s data to be published outside of your tenant. So, how to prevent this or how to establish an approval workflow in this authentication process. So that users cannot log in directly from a third-party application to your Microsoft 365 tenant.

This is the agenda of this article; I will show this workflow set up step by step.

Step-by-Step Guide to Configure Admin Consent Approval Workflow

Follow these steps to set up the Admin Consent Approval Workflow in Microsoft Entra ID:

User Consent Settings – Block User Consent to Third-Party Applications

1. Sign in to Microsoft Entra Admin Center (Microsoft Entra Admin Center) using your Global Administrator account.
2. Navigate to Enterprise Applications → Consent and Permissions → User Consent Settings.
3. Select “Do not allow user consent” to block users from giving permission to third-party apps.
4. Click Save.

Follow the navigation as shown below:

Note:

• For the user consent for applications, the default configuration is “Allow user consent for apps.“

Admin Consent Settings – Enable Admin Consent Approval Workflow

1. Go to Enterprise Applications → Consent and Permissions → Admin Consent Settings.
2. Toggle “Users can request admin consent to apps they are unable to consent to” to Yes.
3. Choose Reviewers (Users, Groups, or Specific Roles) responsible for approving app requests.
4. Set the Request Expiration Period (default is 30 days).
5. Click Save.

Follow the navigation as shown below:

Note:

• Once you select Yes for “Users can request admin consent to apps they are unable to consent to””,  the “Selected users will receive email notification for requests, and selected users will receive request expiration reminders” will be selected to “Yes” automatically.

• After enabling this admin consent approval workflow, you need to wait for at least one hour to get provisioned.

How Users Request App Access

Once the workflow is enabled, users trying to connect ChatGPT to OneDrive (or any third-party app) will see a “Request Approval” button instead of direct access. The process works as follows:

1. The user attempts to connect ChatGPT to OneDrive.
2. Since user consent is disabled, the app prompts for admin approval.
3. The user submits a request for approval.
4. The admin or reviewer gets a notification to review the request.
5. The request is approved or denied based on security policies.
6. If approved, the user gains access; if denied, the app remains blocked.

Note:

• If you log in to your Microsoft 365 account using your global administrator account from ChatGPT, you will not get this approval required screen; to test this out, you need to log in using your normal user account.

How to Prevent Users from Adding OneDrive to ChatGPT?

While the Admin Consent Workflow ensures controlled access, you may want to entirely block ChatGPT from connecting to OneDrive. To do this:

• Restrict App Registrations – Navigate to Microsoft Entra ID → User Settings and disable user permission to register applications.
• Set Conditional Access Policies – Block unauthorized apps from accessing OneDrive via Microsoft Entra security policies.
• Use Defender for Cloud Apps – Monitor and control app activities within the Microsoft 365 security center.

Read Also: How to register an app in the Azure portal step by step

YouTube Video Demo

Final Thoughts

Thus, in this article, we have learned how to configure the admin consent approval workflow in Microsoft Entra Admin Center step by step to prevent users from adding OneDrive to ChatGPT or any other third-party applications.

Enabling the Admin Consent Approval Workflow in Microsoft Entra ID ensures secure and compliant access to Microsoft 365 applications. By implementing these settings, you can control third-party integrations, protect sensitive data, and enhance organizational security.

About Post Author

Microsoft Techy

As a SharePoint and Power Platform Maven, my greatest joy comes from sharing my expertise with colleagues, friends, and the tech community, helping them navigate the ever-evolving world of technology and guiding them through the dynamic landscape of modern technology.

See author's posts