We have updated the way Microsoft authentication works in our application.
Previously, users were authenticated through our Microsoft tenant, and external users had to be manually added to our system as guest users.
With the new approach, users authenticate directly using their own organization’s Microsoft tenant. This is the recommended Microsoft method and improves security and scalability.
Because of this change, your organization needs to grant permission to our application the first time it is used.
This permission process is called “consent”.
There are two ways this can be handled:
- Administrator Consent (Recommended)
Your IT administrator grants permission once for the whole organisation, the first time they log in in our application. After that, all users can sign in without additional prompts. - User Consent
Each user grants permission individually the first time they log in.
Your organization can choose whichever approach fits your security policies.
Option 1 (Recommended): Administrator Grants Consent for Everyone
Your Microsoft administrator can approve the application once for the entire organisation.
After that, all users can log in without seeing any permission prompts.
The administrator has to exist / be added as an Invention Studio user and will simply approve the requested permissions during the first log in in the application.
Option 2: Allow Users to Grant Consent Themselves
If your organization prefers that each user approves the permissions individually, the administrator must allow users to grant consent for certain permissions.
Step 1 – Open Microsoft Entra
Go to:
https://entra.microsoft.com/#home
Sign in with an administrator account.
Step 2 – Open Enterprise Applications
- Click Enterprise applications
- Select Consent and permissions
- Click User consent settings
Step 3 – Allow User Consent
Select the following option:
Allow user consent for apps from verified publishers, for selected permissions
This allows users to approve safe permissions themselves.
Step 4 – Configure Permission Classification
Next, ensure the permissions requested by our application are classified as Low Impact.
- Go to Permission classifications
- Select the Low category
- Add the following permissions:
- Microsoft Graph → openid
- Microsoft Graph → offline_access
- Microsoft Graph → profile
- Microsoft Graph → User.Read
These permissions only allow the application to:
- Verify the user identity
- Read basic profile information
- Maintain the login session
They do not allow access to emails, files, or other sensitive data.
What Happens After This Setup
Once this configuration is complete:
- Users can sign in using their Microsoft accounts
- They will see a one-time consent screen
- After approving it, they can continue using the application normally
Summary
Your organization can choose between:
| Option | Description |
| Admin consent (recommended) | One approval for the entire organization |
| User consent | Each user approves the permissions individually |
Both options are supported.
If you have any questions or need assistance, please contact our support team.