You have an Azure AD tenant.
You configure User consent settings to allow users to provide consent to apps from verified publishers.
You need to ensure that the users can only provide consent to apps that require low impact permissions.
What should you do?
To ensure that users can only provide consent to apps that require low impact permissions, you should configure permission classifications in Azure AD. This allows you to categorize permissions into different levels of impact such as low, medium, or high. By doing so, you can enforce policies that restrict users to only consenting to apps with low impact permissions.
I go with D https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications?pivots=portal
I go with D https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications?pivots=portal
To ensure that users can only provide consent to apps that require low impact permissions, you should configure permission classifications in your Azure AD tenant. Configuring permission classifications allows you to classify the permissions requested by apps into different impact levels, such as low, medium, or high. By assigning the appropriate impact level to each permission, you can control which apps users are allowed to consent to based on the impact level of the requested permissions
D looks like the better answer, when creating a custom app policy you need to define the Permissions Classification: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-app-consent-policies?pivots=ms-powershell. However this is overly complex as it seems the easiest thing to do is just select the radial to allow user consent to apps from trusted publishers, default impact is low. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?pivots=portal
I agree. There should be an answer of "Do Nothing" because once you select "Allow user consent for apps from verified publishers" it is already configured as desired. Awful question.
The correct answer is D. Configure permission classifications. To ensure that the users can only provide consent to apps that require low impact permissions, you need to configure permission classifications in Azure AD. Permission classifications allow you to identify the impact that different permissions have according to your organization’s policies and risk evaluations.
D. Configure permission classifications: Azure AD allows you to classify the permissions requested by apps into three categories: low, medium, and high impact. By configuring these permission classifications, you can define which permissions fall into each category. This enables you to ensure that users can only provide consent to apps requesting permissions classified as "low impact." This approach helps control the level of access users can grant to apps, aligning with your requirement.
Configure permission classifications for this...
This is from ChatGPT. To ensure that users can only provide consent to apps that require low impact permissions, you should: **D. Configure permission classifications.** By configuring permission classifications, you can categorize the permissions requested by applications into different levels of impact (e.g., low, medium, high). You can then configure policies that allow users to consent only to apps that require low impact permissions, ensuring that users cannot authorize apps that request higher-risk permissions without admin approval.
Answer D. Configure permission classifications