Englisch + German / English / Microsoft Entra

Microsoft-managed default app consent policy now blocks 20 additional permissions

8. November 2025

Microsoft has updated the Microsoft-managed default app consent policy in Entra ID to align with the Secure Future Initiative and the Secure by Default principle. This update strengthens admin control over third-party app access to Exchange and Teams content.

Important:
This update only affects tenants using the Microsoft-managed user consent policy. Organizations using a custom or admin-defined policy are not affected.

This update affects tenants if the organisation is using the recommended setting
This update affects tenants if the organisation is using the recommended setting
Timeline

The rollout should be completed by late November 2025.

How does this affect your organisation?

In mid-August, Microsoft enabled the new Microsoft-managed app consent policy for organisations using the default Entra ID configuration.
The first four blocked permissions were:

  • Microsoft Graph – Files.Read.All
  • Microsoft Graph – Files.ReadWrite.All
  • Microsoft Graph – Sites.Read.All
  • Microsoft Graph – Sites.ReadWrite.All

In October, Microsoft informed that these four permissions would be extended to include additional permissions for apps accessing Exchange and Teams content. These new permissions are now rolling out and include 20 additional excluded permissions for Outlook Mailbox, Outlook Mail, Outlook Calendar, Teams Chat, and Teams Meetings.

  • Organisations using custom user consent policies are not affected. Read my July post for step-by-step guidance on creating a custom app consent policy.
Read:  Configuring a custom app consent policy in Entra ID using Microsoft Graph
  • Users who have already granted consent to an app can continue using it without interruption.
  • New users or apps requesting new or broader permissions are blocked. Microsoft recommends configuring an admin consent workflow to manage these requests.

For example, Doodle uses the Calendars.ReadWrite permission, which is now one of the newly excluded permissions.

Calendars.ReadWrite permission
Calendars.ReadWrite permission

New users can no longer add the app.

New users are blocked because of Calendars.ReadWrite
New users are blocked because of Calendars.ReadWrite

I exported all excluded permissions from the Microsoft-managed app consent policy.
The following table lists the 24 permissions currently excluded by the Microsoft-managed app consent policy. The resource ID of Microsoft Graph is 00000003-0000-0000-c000-000000000000.

Permission exclusions for the Microsoft-managed default app consent policy - November 2025
ResourcePermissionTypePermissionConsentDisplayNameConsentDescriptionExcluded
Microsoft GraphUserFiles.Read.AllRead all files that you have access toAllows the app to read all files you can access.August 2025
Microsoft GraphUserFiles.ReadWrite.AllHave full access to all files you have access toAllows the app to read, create, update and delete all files that you can access.August 2025
Microsoft GraphUserSites.Read.AllRead items in all site collectionsAllow the application to read documents and list items in all site collections on your behalfAugust 2025
Microsoft GraphUserSites.ReadWrite.AllEdit or delete items in all site collectionsAllow the application to edit or delete documents and list items in all site collections on your behalf.August 2025
Microsoft GraphUserCalendars.ReadRead your calendarsAllows the app to read events in your calendars.November 2025
Microsoft GraphUserCalendars.Read.SharedRead calendars you can accessAllows the app to read events in all calendars that you can access, including delegate and shared calendars.November 2025
Microsoft GraphUserCalendars.ReadBasicRead basic details of your calendarsAllows the app to read events in your calendars, except for properties such as body, attachments, and extensions.November 2025
Microsoft GraphUserCalendars.ReadWriteHave full access to your calendarsAllows the app to read, update, create and delete events in your calendars.November 2025
Microsoft GraphUserCalendars.ReadWrite.SharedRead and write to your and shared calendarsAllows the app to read, update, create and delete events in all calendars in your organization you have permissions to access. This includes delegate and shared calendars.November 2025
Microsoft GraphUserChat.ReadRead your chat messagesAllows an app to read your 1 on 1 or group chat messages in Microsoft Teams, on your behalf.November 2025
Microsoft GraphUserChat.ReadWriteRead and write your chat messagesAllows an app to read and write your 1 on 1 or group chat messages in Microsoft Teams, on your behalf.November 2025
Microsoft GraphUserMail.ReadRead your mailAllows the app to read email in your mailbox.November 2025
Microsoft GraphUserMail.Read.SharedRead mail you can accessAllows the app to read mail you can access, including shared mail.November 2025
Microsoft GraphUserMail.ReadBasicRead user basic mailAllows the app to read email in the signed-in user's mailbox except body, previewBody, attachments and any extended properties.November 2025
Microsoft GraphUserMail.ReadBasic.SharedRead basic mail you can accessAllows the app to read mail you can access, including shared mail except body, previewBody, uniqueBody, attachments, extensions, and any extended properties.November 2025
Microsoft GraphUserMail.ReadWriteRead and write access to your mailAllows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail.November 2025
Microsoft GraphUserMail.ReadWrite.SharedRead and write mail you can accessAllows the app to read, update, create, and delete mail you have permission to access, including your own and shared mail. Does not allow the app to send mail on your behalf.November 2025
Microsoft GraphUserMailboxFolder.ReadRead your mailbox foldersAllows the app to read your mailbox folders, on your behalfNovember 2025
Microsoft GraphUserMailboxFolder.ReadWriteRead and write your mailbox foldersAllows the app to read and write your mailbox folders, on your behalfNovember 2025
Microsoft GraphUserMailboxItem.ReadRead your mailbox itemsAllows the app to read your mailbox items, on your behalfNovember 2025
Microsoft GraphUserMailboxSettings.ReadRead your mailbox settingsAllows the app to read your mailbox settings.November 2025
Microsoft GraphUserMailboxSettings.ReadWriteRead and write to your mailbox settingsAllows the app to read, update, create, and delete your mailbox settings.November 2025
Microsoft GraphUserOnlineMeetings.ReadRead your online meetingsAllows the app to read online meeting details on your behalf.November 2025
Microsoft GraphUserOnlineMeetings.ReadWriteRead and create your online meetingsAllows the app to read and create online meetings on your behalf.November 2025

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *