Azure Entra ID Permissions Configuration for Caddi
Quick Start Guide
This guide covers the essential permission configurations required for Caddi in Azure Entra ID at both the organization and application levels.
Organization-Level Permissions
Navigate to Entra ID → Enterprise Applications to configure the following:
1. Admin Consent Request Management
Path: Activity → Admin consent requests
Action: Configure approval workflow for application access requests across your Azure organization.
2. User Consent Settings
Path: Security → Consent and permissions → User consent settings
Action: Configure user consent controls.
⚠️ Important: If enforcing admin consent, do NOT select "Allow user consent for apps" - proceed to Admin consent settings instead.
3. Admin Consent Settings
Path: Security → Consent and permissions → Admin consent settings
Required Configuration:
Set "Users can request admin consent to apps they are unable to consent to" to Yes
Without this setting, users cannot access applications when admin consent is enforced
Additional Configuration:
Assign appropriate users/roles/groups as consent approvers (applies organization-wide)
App-specific approvers can be configured separately
4. Permission Classifications
Path: Security → Consent and permissions → Permission classifications
Action: Verify that required permissions are not classified as high-risk, which could block consent prompts.
Application-Specific Permissions (Caddi)
Navigate to Entra ID → Enterprise Applications → [Caddi Application] to configure:
1. Application Properties
Path: Manage → Properties
Required Settings:
"Enabled for users to sign-in": Yes
"Assignment required?": Configure based on organizational requirements
2. Self-Service Access
Path: Manage → Self-service
Required Settings:
"Allow users to request access to this application?": Yes
"To which group should assigned users be added?": Create and assign a dedicated Caddi group
"Require approval before granting access to this application?": If Yes, ensure approvers are configured
"Default Access role": Standard configuration is sufficient
3. Application Permissions
Path: Security → Permissions
Optional Action: Click "Grant admin consent for Caddi" to pre-approve permissions for all users
4. Access Reviews
Path: Activity → Access reviews
Action: Monitor and audit user access and permission levels
General Recommendations for Standard Organizations
For organizations with standard security requirements, the following configuration provides a good balance of security and user convenience:
Recommended Settings
User consent settings: Allow user consent for apps from verified publishers
Assignment required?: Set to No for easier user onboarding
Self-service access: Enable with automatic approval (no approvers required)
Admin consent: Pre-grant admin consent for Caddi to eliminate permission prompts
Dedicated group: Optional - only create if you need to track or manage Caddi users specifically
Benefits of This Approach
Users can access Caddi immediately without waiting for approvals
Reduces administrative overhead
Maintains reasonable security through verified publisher requirements
Simplifies the user experience
Recommendations for Organizations with Strict Permission Controls
Essential Configuration
Enable admin consent requests in admin consent settings - without this, users cannot request access when admin consent is enforced
Create a dedicated Caddi user group for simplified access management and clear visibility
Test the consent workflow early with an end-user to ensure smooth deployment
Simplifying Access Management
Access to the application and permission consent are separate processes. To streamline administration:
Pre-approve application permissions (grant admin consent)
Require approval only for application access (group membership)
This approach allows admins to focus solely on group membership management
Critical Warning
⚠️ Incorrect configuration combinations will prevent user access. Test thoroughly with a basic-permission test account or actual end-user before widespread deployment to avoid access issues during onboarding.