July 5, 2026 Stories worth reading. Perspectives worth sharing.
Permission Consent Shifts: FileStorageContainerType and ThreatSubmission Delegated Permissions—What Entra Admins Need to Know Now
Entra ID

Permission Consent Shifts: FileStorageContainerType and ThreatSubmission Delegated Permissions—What Entra Admins Need to Know Now

Mo Wasay July 4, 2026 5 min read
Permission Consent Shifts: FileStorageContainerType and ThreatSubmission Delegated Permissions—What Entra Admins Need to Know Now

Microsoft Entra ID (formerly Azure AD) continues to evolve its permission and consent framework, shaping how admins grant app access and maintain tenant security. This week, Microsoft quietly rolled out changes to the admin consent requirements for four specific delegated permissions in the Microsoft Graph API. Here’s what you need to know—plus, what’s next on the roadmap, and how these changes integrate with adjacent controls you’re managing.

WHAT JUST CHANGED

  • FileStorageContainerType.Manage.All (delegated): Admin consent no longer required
  • FileStorageContainerTypeReg.Manage.All (delegated): Admin consent no longer required
  • ThreatSubmission.Read (delegated): Now requires admin consent
  • ThreatSubmission.ReadWrite (delegated): Now requires admin consent

Effective Date: June 2024 (rolled out to all tenants, GA status). All Entra ID tenants—including commercial, government, and education—are affected. This is a backend update; there’s no visible admin center banner, but consent flows are immediately impacted.

WHO’S AFFECTED

If you use custom applications, service principals, or third-party apps that request any of the above permissions, your consent workflow is altered:

  • App Developers: No longer need admin consent for FileStorageContainerType permissions; can use user consent.
  • Identity Admins: Must provide admin consent for ThreatSubmission permissions, even for delegated scenarios.
  • Security Teams: ThreatSubmission permission changes affect automation and integration for phishing/spam submission APIs.
  • App Owners: May need to re-consent or review existing applications for policy compliance.

WHY THIS DIRECTION IS BETTER

By reducing admin friction on FileStorageContainerType permissions, Microsoft enables faster onboarding for storage workflows—similar to how Google Workspace streamlines Drive access. Conversely, tightening consent for ThreatSubmission APIs ensures that only vetted apps can access sensitive threat intelligence, reducing risk from accidental or malicious exposure.

  • Improved User Experience: End users can grant FileStorageContainerType access without waiting for admin, boosting productivity for self-service and sandbox apps.
  • Stronger Security Posture: ThreatSubmission API access now requires explicit admin oversight, closing a gap where delegated permissions could previously be granted without central review.
  • Alignment with Industry Practices: Microsoft is matching competitors (e.g., Okta, Google, AWS Cognito) in balancing seamless app onboarding with robust security controls.
  • Fewer Consent Fatigue Issues: By not requiring admin consent for low-risk delegated permissions, admins can focus their attention on higher-risk API scopes.

WHAT’S NEXT ON THE ROADMAP

Microsoft’s Entra roadmap continues to prioritize granular consent management and API security. Prepare for:

  • Granular Admin Consent Policies: In public preview, soon admins will define which permissions require admin consent, beyond Microsoft’s defaults.
  • Consent Insight Audit Logs: Rollout of API and portal logs showing who consented to what, including delegated vs. application scopes, recently expanded in Entra admin center.
  • Passwordless Consent Flows: Soon, passwordless sign-in (FIDO2, Passkey) will support consent actions, reducing friction for admins and users alike.
  • External Identity Consent Controls: Enhanced control for B2B and guest users, including restricting consent by domain or group, now in preview.

Monitor the Microsoft Entra release notes and roadmap site for these features entering GA over the next quarter.

ADJACENT CHANGES: WHAT ELSE MATTERS NOW?

  • App Registration UX: The Entra admin center now surfaces consent requirements in the “API permissions” tab, including a new column showing which permissions require admin consent.
  • Conditional Access for Consent: Conditional Access policies now support “Grant controls” for consent flows; you can require MFA or device compliance when admins grant API permissions.
  • Consent Policy Enforcement: New “Consent policies” blade in Entra admin center lets you block user consent for risky permissions or require admin consent for specific APIs.

WHAT TO DO: STEP-BY-STEP FOR ADMINS

  1. Review existing app registrations for FileStorageContainerType and ThreatSubmission permissions.
  2. Audit consent logs to identify apps that may need new admin consent due to ThreatSubmission changes.
  3. Update internal documentation and developer guidelines for permission consent requirements.
  4. Notify app owners—especially those automating threat submission APIs—that admin consent is now required.
  5. Test consent flows for new and existing apps to ensure compliance and user experience.

CHECK IT YOURSELF: Modern PowerShell Audit

Use Microsoft.Graph PowerShell to report all app registrations with the affected permissions, using robust error handling and pagination. This script audits delegated permissions and flags consent status, defaulting to read-only.

Import-Module Microsoft.Graph.Applications
Import-Module Microsoft.Graph.Authentication

Connect-MgGraph -Scopes 'Application.Read.All', 'DelegatedPermissionGrant.Read.All'

# Define permissions to check
$targetPermissions = @(
    'FileStorageContainerType.Manage.All',
    'FileStorageContainerTypeReg.Manage.All',
    'ThreatSubmission.Read',
    'ThreatSubmission.ReadWrite'
)

# Audit all app registrations with the target delegated permissions
function Get-AppDelegatedPermissionAudit {
    [CmdletBinding()]
    param()
    $apps = Get-MgApplication -All
    $results = @()
    foreach ($app in $apps) {
        try {
            $apiPerms = $app.Api.OAuth2PermissionScopes | Where-Object {
                $targetPermissions -contains $_.Value
            }
            if ($apiPerms) {
                $results += [PSCustomObject]@{
                    AppId = $app.AppId
                    DisplayName = $app.DisplayName
                    Permissions = ($apiPerms | Select-Object -ExpandProperty Value -Unique) -join ', '
                }
            }
        } catch {
            Write-Warning "Error inspecting app '$($app.DisplayName)': $_"
        }
    }
    return $results
}

# Run audit
$auditResults = Get-AppDelegatedPermissionAudit
if ($auditResults.Count -eq 0) {
    Write-Host "No affected apps found with target delegated permissions."
} else {
    $auditResults | Format-Table
}

Note: This script never alters permissions or consent state. To check admin consent, review the Azure portal or use the Get-MgOauth2PermissionGrant cmdlet for delegated grants.

PORTAL PATH

  • Entra admin centerIdentityApplicationsApp registrations → Select app → API permissions. Check ‘Admin consent required’ column.
  • Entra admin centerIdentityConsent policies (for global enforcement).
  • Entra admin centerMonitoringAudit logs → Search for ‘Permission grant’ activity.

BOTTOM LINE

  • Immediate action: Audit all apps with FileStorageContainerType and ThreatSubmission permissions; update consent flows accordingly.
  • Notify app owners: ThreatSubmission APIs now require admin consent—automations may break without it.
  • Prepare for change: Track upcoming granular consent policies and portal improvements—get familiar with new blades and logs.
  • Stay vigilant: Use modern PowerShell and portal audit tools to validate permissions and consent. Never rely on legacy AzureAD/MSOnline modules.

With these updates, Entra admins can streamline storage app onboarding and strengthen threat intelligence security. Review your tenant today to stay ahead.