Getting Started with AppConfig²

Before You Begin

AppConfig² requires administrator consent for successful onboarding. Please ensure you have the following prerequisites before starting:

👤

Administrator Account

You must have Global Administrator role in your Entra ID tenant

🔒

Permission to Grant Consent

Authority to grant application permissions at the organizational level

Onboarding Process

Step 1: Sign In

Step 2: Administrator Consent

After signing in, you'll be prompted to grant administrator consent for the required permissions. You must be signed in with an administrator account for this step.

Step 3: Access the Application

Once consent is granted, you'll have full access to all features of AppConfig².

Information: On-Demand Tool Permissions

AppConfig² follows the principle of least privilege. Advanced tools request additional permissions only when you first access them, not during the initial admin consent process. Here's what happens when you use advanced tools:

Tool	Additional Permissions Requested	When Requested	Purpose
Directory Extensions Manager	Directory.ReadWrite.All	First access to the tool	Create and manage custom directory schema extensions
Claims Mapping Policy Tool	Policy.Read.All	When accessing advanced policy features	Read comprehensive policy information beyond basic application configuration

⚠️ Important to Understand

Initial Setup: Only core permissions are requested during admin consent - faster onboarding with minimal required permissions
Tool Access: Additional permissions requested only when you access specific advanced tools
User Choice: You can choose to grant or deny additional permissions for individual tools
Graceful Degradation: Core AppConfig² functionality works without advanced tool permissions
Admin Consent Requirement: Advanced tool permissions still require admin consent and cannot be granted by regular users
Organization-wide Impact: Once granted, these permissions apply organization-wide for all users
Independent Management: You can revoke tool permissions independently without affecting core functionality
Security Best Practice: Follows Microsoft's principle of least privilege with transparent usage

✅ Benefits of This Approach

Reduced Initial Consent: Faster onboarding with minimal required permissions
Transparent Usage: Clear understanding of why each permission is needed
Selective Access: Use only the tools and permissions your organization needs
Security Best Practice: Follows Microsoft's principle of least privilege

Return to Application

Required Permissions

AppConfig² follows the principle of least privilege with a two-tier permission model:

✅ User Permissions (No Admin Consent Required)

These standard permissions are granted automatically during user sign-in:

✓

User.Read

✓

openid

Sign you in with OpenID Connect

✓

profile

View your basic profile information

✓

offline_access

Maintain access to data you have given it access to

🔐 Admin Consent Required Permissions

⚠️ These permissions require Global Administrator approval:

Application Management

🛡️

Application.ReadWrite.All (Delegated)

Core Permission: Read and write applications in your organization

Directory Access

🛡️

Directory.AccessAsUser.All

Access directory as the signed-in user

🛡️

Directory.Read.All

Read directory data to discover applications and users

Policy Management

🛡️

Policy.Read.ConditionalAccess

Read your organization's conditional access policies

🛡️

Policy.ReadWrite.ApplicationConfiguration

Manage claims mapping policies for applications

User Management

🛡️

User.ReadWrite.All

Read and write all users' full profiles

🔧 On-Demand Permissions (Admin Consent Required)

🎯 Smart Permission Requests

The following permissions are requested only when you access specific advanced tools:

🔧

Directory.ReadWrite.All - For Directory Extensions Manager

🔧

Policy.Read.All - For advanced policy management tools

Permission Requirements Summary

👤

Regular Users: Can sign in and use basic features with standard permissions

👨‍💼

Global Administrators: Required for initial setup and advanced features

⚠️ Important for Administrators

The admin consent process is a one-time setup. Once completed, all users in your organization can access AppConfig² with their standard accounts.

Security & Privacy

🔒 Enhanced Security Model

AppConfig² follows Microsoft's principle of least privilege:

✅

Clear Permission Separation

User permissions vs. admin consent permissions are clearly distinguished

✅

Just-in-Time Access

Additional permissions requested only when specific tools are accessed

✅

Transparent Consent

Clear explanation of why each permission is needed and who can grant it

✅

No Credential Storage

Your credentials are never stored, only Microsoft tokens are used

Frequently Asked Questions

What if I don't have administrator permissions? +

You'll need to contact your IT administrator or a Global Administrator in your organization to complete the onboarding process. Regular users can use AppConfig² after admin consent is granted, but the initial setup requires admin approval.

Why do some permissions require admin consent? +

Microsoft requires admin consent for permissions that access organizational data like applications, directory information, and policies. This ensures that only authorized administrators can grant access to sensitive organizational resources.

Can regular users access AppConfig² after admin consent? +

Yes! Once a Global Administrator grants consent, regular users can sign in and use most AppConfig² features with their standard accounts. Only advanced tools may require additional admin-level permissions.

What's the difference between user and admin consent permissions? +

User permissions (like User.Read, openid, profile) are standard and don't require admin approval. Admin consent permissions access organizational data and require a Global Administrator to approve them on behalf of the entire organization.

Can I revoke consent later? +

Yes, administrators can revoke consent at any time through the Microsoft Entra ID Admin Center under Enterprise Applications. However, this will prevent AppConfig² from functioning until consent is granted again.

Need Help?

If you encounter any issues during the onboarding process, please contact our support team:

Email: support@appconfig.app
Support Portal: appconfig.app
Phone: +420 xxx xxx xxx

Visit Support Portal