Why am I getting "Request Admin Consent" for new apps?

If you've been seeing a "Request Admin Consent" prompt when registering new apps with Microsoft 365 (M365), you're encountering a key security feature. As cyberattacks grow more sophisticated, using apps as a vector for data exfiltration or attacker persistence has become more common. The prompt appears as part of our measures to enhance protection against these threats.

What does it look like?

The prompt appears when you're signing up for a new app - or connecting it to your work Microsoft account.  For applications that are known to Microsoft - it'll continue to look like this:

 

For unknown apps, if your company doesn't have the Admin Consent Workflow configured - it'll look like this:


And finally - if your company does have Admin Consent Workflow configured:

 

Why is this happening now?

In light of the increased risks, implementing the admin consent requirements is a necessary step to guard data and ensure security. Admin consent ensures a double-check before granting an app permissions, reducing potential attack surfaces and minimizing security vulnerabilities.

Why does it appear for some apps and not others?

The prompt is more likely to appear for new or less common apps. This is because M365's default setup allows users to give consent for known publishers, reducing the need for admin inspection for these apps. Consequently, popular applications from recognized publishers may not trigger the "Request Admin Consent" message, whereas newer or less recognized apps will, as an extra layer of security.

In essence, this feature underscores the balance between security and convenience in an increasingly interconnected digital workspace. It aims to maintain secure practices while allowing seamless integration of apps within M365.

What to do when you see it

When you are blocked from approving an application you're trying to use you should reach out to your Microsoft 365 Administrator, either through the consent request - or by another method if it is not configured. Your administrator will be able to review the application to ensure that it is really the application you were trying to use - and that it adheres to any security and compliance policies the organization has implemented.