This guide provides Microsoft Entra ID administrators with the necessary steps to configure the tenant to allow users to consent to the Matik application's delegated permissions. This configuration is essential for Matik to securely access resources on behalf of the user, such as Microsoft 365 services (e.g., SharePoint, OneDrive).
Prerequisites
-
A Microsoft Entra ID tenant with administrative privileges (e.g., Global Administrator, Application Administrator, or Cloud Application Administrator).
- Understanding of Microsoft Entra ID application registration and permission models.
Matik Application Permissions
Before configuring consent settings, verify understanding of the Matik applications requested delegated permissions:
openid
Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information.
Allows the app to read your users' primary email address
offline_access
Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.
User.Read
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
Files.ReadWrite.All
Allows the app to read, create, update and delete all files the signed-in user can access.
Matik will use this to read from template files and excel data sources, update template files with any changes to tags through the Matik app (when prompted by a user), and create new files for uploading generated content.
Sites.Manage.All
Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user.
Matik will use this to create folders for generated content when prompted by the user.
Note: Matik's requirements may be updated. Consult Matik's documentation for the most current list of required permissions.
Admin Consent Status
If the permissions are listed, check the Status column.
- If the status is "Granted for [Your Tenant Name]", admin consent has already been given for the required permissions, and user consent may not be necessary for those permissions.
- If the status is "Not granted", user consent may be required unless admin consent is explicitly granted (see Step 3).
1. Configure User Consent Settings
This step ensures that users are permitted to grant consent for non-admin restricted permissions requested by applications like Matik.
- Navigate to the Microsoft Entra admin center.
- Go to Entra ID > Enterprise apps > Consent and permissions > User consent settings.
- Review the setting for User consent for applications.
- The recommended setting to enable user consent is Allow user consent for apps from verified publishers, for selected permissions.
- Alternatively, selecting Allow user consent for all apps (not recommended) will allow consent for all registered applications, which poses a higher security risk.
- If you choose the recommended setting, ensure that the delegated permissions requested by Matik are included in the set of "Selected permissions."
- Click Save.
| User Consent Setting | Description | Recommendation |
|---|---|---|
| Do not allow user consent | Users cannot consent to any application permissions. Requires Admin Consent for all permissions. | Highest Security |
| Allow user consent for apps from verified publishers, for selected permissions | Users can consent only to permissions deemed low-impact for applications from verified publishers. | Recommended |
| Allow user consent for all apps (not recommended) | Users can consent to any permission requested by any application. | Lowest Security |
2. Review Consent Policies
Microsoft Entra ID allows for fine-grained control over consent through custom consent policies. Review existing policies to ensure they do not explicitly block user consent for Matik's required permissions.
- Navigate to Microsoft Entra admin center.
- Go to Entra ID > Enterprise apps > Consent and permissions > Permission classifications.
- Review the classifications and ensure that all the required permissions (listed above in Matik Application Permissions) are not classified in a way that blocks user consent (e.g., not marked as "High privilege" unless explicitly intended).
3. Grant Admin Consent (Alternative/Supplemental)
If the user consent settings are restricted, an administrator must grant consent on behalf of all users.
- Navigate to the Microsoft Entra admin center.
- Go to Entra ID > Enterprise apps.
- Search for and select the Matik application.
- In the left navigation panel, select Permissions.
- Click the Grant admin consent for [Your Tenant Name] button.
- Review the permissions displayed and confirm the action.
Note: Granting Admin Consent bypasses the need for individual users to consent and grants the application permission to act on behalf of any user in the tenant who accesses it, based on their individual permissions.
Confirming Configuration
Once you've completed setup, your admin view in Entra should look something like this:
And when your end users are prompted to provide consent, the permissions request modal will look something like this:
Troubleshooting User Consent
| Issue | Potential Cause | Remediation Steps |
|---|---|---|
| Users see "Need Admin Approval" | User consent is blocked in the tenant (Step 2). | Set User Consent to the "Recommended" setting (Step 2) or Grant Admin Consent (Step 4). |
| Consent screen displays incorrect permissions | Matik application registration has incorrect permissions defined. | Contact Matik Support |
| Users cannot access Matik after consenting | Licensing issue, conditional access policy blocking access, or application assignment required. | Check user licensing, review Conditional Access policies, and verify if the Enterprise Application requires user assignment. |
Comments
0 comments
Article is closed for comments.