With recent changes made to the Email Gateway Defense SSO login flow for the new user interface, an administrator may need to grant consent to the Email Gateway Defense app for your organization. End users may also see a consent screen based on the security consent policies set in Azure AD by the administrator.
Note that either a user or a global administrator must establish consent between the Email Gateway Defense app and your organization's Azure AD in order for login to proceed. The consent method, either by a global administrator or a user, is determined by the consent policy selected for your organization. The most restrictive policy requires an administrator to grant consent for the entire organization. The Microsoft recommended policy and the least restrictive policy allow end users to consent to use the app on an individual basis. A description of the consent policies and how to view and change them are provided in this article.
Manage Access to Email Gateway Defense Application
To view or change the consent policies for users:
- Log into the Azure portal as a global administrator for the directory.
Select Azure Active Directory under Azure services.
Select Enterprise applications in the left-hand menu.
- On the Enterprise applications - All applications page, go to Security > Consent and permissions.
- Under User consent settings, select one of the options:
Do not allow user consent – Users cannot grant permissions to any application. Users can sign into applications that administrators have granted consent to on their behalf, but they cannot consent to new permissions to applications on their own.
Allow user consent for apps from verified publishers, for selected permissions (Recommended) – Users can consent only to applications that were published by a verified publisher or applications added to your tenant.
- Allow user consent for apps – Users can consent to any permissions for any application without administrator consent.
- Click Save.
User Consent Flows
When the end user logs into Email Gateway Defense, they will see one of the below user consent flows based on the selected policies above.
Do not allow user consent
Users will be blocked from granting consent to any application. Users can sign into applications that administrators have granted consent to on their behalf, but they cannot consent to new permissions to applications on their own.
As a user, you will need to contact your administrator to grant access. You will not be able to access the application until your administrator grants consent.
Allow user consent for apps from verified publishers, for selected permissions (Recommended)
Users will see the consent prompt to accept the permissions only for an application from a verified publisher or an application added to your tenant.
As a user, it is safe to click Accept to gain access to the application.
Allow user consent for apps
Users will see the consent prompt to accept the permissions for any application.
Users can consent to any permissions for any application, regardless of publisher or status (verified or unverified).
Admin Consent Flow
In addition to the above scenarios, as an administrator, you can grant consent for the application on behalf of all users in the organization. When you log into Email Gateway Defense for the first time, select Consent on behalf of the organization.