#Consent to Custom Azure Apps

Refer to the following instructions to configure app profiles for custom apps and consent to custom apps.

1. Navigate to Management > App management, and then click Create.

2. Select services – Select a tenant and select services for which you want to create app profiles. Click Next.

3. Choose setup method – Select the Custom mode option. Note that the Custom mode option only appears when the selected services support custom apps.

4. Consent to apps – Refer to the instructions in the following sections to consent to custom apps.

*Note: If multi-factor authentication (MFA) is enabled on a Microsoft 365 account, this account can still be used to consent to app profiles. For apps with delegated permissions, the related app profiles need to be re-authorized if MFA is enabled on the consent users’ Microsoft 365 accounts after they have given consent to the app profiles.

#Consent to a Custom Azure App with Application Permissions Only

When you consent to a custom Azure app with application permissions only, complete the following settings:

1. App profile name – Enter a name for the profile.

2. Application ID – Enter the application ID of the application that has been created in Azure by referring to the Create a Custom Azure App section.

3. Certificate file (.pfx) – Click Browse and select your app’s private certificate (the .pfx file).

   *Note: Ensure this .pfx file is paired with the .cer/.crt file uploaded to Microsoft Entra ID when your organization creates this custom app. If your organization does not have any certificates, you can create self-signed certificates by referring to Prepare a Certificate for the Custom Azure App.

4. Certificate password – Enter the password of the certificate.

5. Click Finish.

6. If you want to manage Exchange mailboxes and settings / Security and distribution group objects / Microsoft 365 Defender settings, you need to assign the Exchange Administrator role to the app. For additional details on assigning the role, refer to How to Assign the Exchange Administrator Role to an App?

#Consent to a Custom Azure App with Delegated Permissions

When you consent to a custom Azure app with both application and delegated permissions, complete the following settings:

1. App profile name – Enter a name for the profile.

2. Application ID – Enter the application ID of the application that has been created in Azure by referring to the Create a Custom Azure App section.

3. Certificate file (.pfx) – Click Browse and select your app’s private certificate (the .pfx file).

   *Note: Ensure this .pfx file is paired with the .cer/.crt file uploaded to Microsoft Entra ID when your organization creates this custom app. If your organization does not have any certificates, you can create self-signed certificates by referring to Prepare a Certificate for the Custom Azure App.

4. Certificate password – Enter the password of the certificate.

5. Click Consent.

6. Consent method – Choose a consent method between Administrator consent and User consent. If you want to consent to the app with a non-Administrator account in your Microsoft tenant, choose User consent and note the following:

   1. Ensure that your organization has granted admin consent to the app in Microsoft Entra ID. You can refer to the steps below to grant admin consent to an app:

      1. Log in to the Microsoft Entra admin center (or Microsoft Azure portal).

      2. Navigate to Identity > Applications > App registrations (or Microsoft Entra ID > App registrations).

      3. Click the app, and then click API permissions in the left menu.

      4. Click Grant admin consent for [Tenant name].

         

   2. Refer to the following information to prepare required users who consent to the apps:

      • To scan and manage Power Platform objects, the user who provides consent must have the following required license/role:

        • The Power Platform Administrator role must be assigned to the user who provides consent for the app profiles for scanning Environments, Connections, Power Apps, Solutions, Power Automate, or Copilot Studio objects.

        • The Power BI license and Fabric Administrator role must be assigned to the user who provides consent for the app profiles for scanning Power BI objects.

      • To authorize a custom app for AvePoint Portal Manager, the user who provides consent to the app must have the Teams Service admins role or a higher privileged role.

      • To authorize a custom app for Cloud Governance, the user who provides consent to the app must be a Microsoft 365 Global Administrator, Exchange Administrator, or a group owner.

7. Click Continue to consent.

8. If you want to manage Exchange mailboxes and settings / Security and distribution group objects / Microsoft 365 Defender settings, you need to assign the Exchange Administrator role to the app. For additional details on assigning the role, refer to How to Assign the Exchange Administrator Role to an App?