Skip to main content

Understanding the Enterprise App consent flow

What clients see when they grant CloudCapsule access, who can approve it, and what's left in their tenant afterward.

When your client's admin approves a CloudCapsule connection, they're completing Microsoft's own Enterprise Application consent process, the same screen used to approve any third-party app against a Microsoft 365 tenant. This article covers who on their end can complete it, what they'll see, and what stays behind in their tenant once consent is granted.

Only a Global Administrator or a Privileged Role Administrator on your client's tenant can approve the request. Microsoft requires one of those elevated roles because approving an app registration affects the whole tenant, not a single mailbox or user profile.

  • If the person following your link isn't a Global Admin or Privileged Role Admin, Microsoft's consent screen will block the approval or route it into an admin approval queue instead of granting it outright.
  • A standard user account, even one with broad access to files and apps, can't approve this on its own. Confirm you're sending the link to the right person before troubleshooting anything else.

What happens during the flow

  1. You send the client a Shareable Consent Link, or their admin enters their Tenant ID or domain directly if you're walking them through it live.
  2. They land on Microsoft's standard consent screen, which names the app as CloudCapsule (you can't rebrand this screen, since it belongs to Microsoft's own app registration process) and lists the categories of permissions being requested.
  3. They choose Read Only consent for assessment and reporting, or Read & Write consent, which adds the ability for CloudCapsule to deploy fixes and policies later.
  4. They select Grant Consent, or generate a shareable link for someone else with the right role to finish the step. Nothing is scanned or changed until this approval is in place.

Consent links expire after 96 hours, so remind clients an unused one needs to be reissued rather than reused.

What Read Only actually covers

Read Only consent is scoped to what CloudCapsule needs to run an assessment and build reports. It doesn't grant any ability to change settings, create accounts, or modify policies, and you can tell clients that directly.

  • Reading configuration and security settings across the tenant, the same data an admin would see reviewing Microsoft's own admin consoles.
  • Reading license assignments, to flag gaps and unused seats.
  • Reading the signals used to map findings to compliance frameworks.

Adding fixes and policy deployment on top of that requires separate Read & Write consent, tied to a second, purpose-built app registration kept to least-privilege scopes. Either way, CloudCapsule never pushes a change on its own. Every fix is something you or the client's team initiates, and it's logged.

What's left behind in the tenant

  • An enterprise app entry shows up in the client's admin center: CloudCapsule for Read Only, plus CloudCapsule-Manage alongside it if Read & Write was granted.
  • The client's admin can open that entry anytime to see what was approved or revoke access entirely, regardless of what you've told them about it.
  • Consent doesn't install anything on end-user devices or mailboxes. It registers an app-level connection, not a software agent.

If a client asks questions you can't answer about the connection, or wants a second look at what was approved, point them to support@cloudcapsule.io or the Support menu inside CloudCapsule to open a ticket.