Who can grant Microsoft admin consent for SlackBridge?

A Microsoft 365 user with one of the following Entra ID roles can grant consent: Global Administrator, Privileged Role Administrator, or Cloud Application Administrator. A regular user, even one who is a Teams team owner, cannot grant consent for an application permission. If the admin who clicks the link does not have one of these roles, Microsoft will display an error rather than displaying the consent screen.

What does the admin actually see when they click the consent link?

Microsoft's standard tenant-consent screen at login.microsoftonline.com. It shows the SlackBridge logo and publisher (Square Post Labs Inc.), the list of Microsoft Graph permissions being requested, and an Accept / Cancel pair of buttons. The screen is rendered by Microsoft, not by SlackBridge — SlackBridge never sees the admin's password or any other tenant credentials.

What does 'admin consent' grant, and how is it different from a user signing in?

Admin consent grants application permissions to the SlackBridge enterprise application across the entire Microsoft 365 tenant. The grant is recorded against the application object in Entra ID, not against the admin's personal account. The admin can hand the dashboard back to a regular user immediately afterwards; the bridge will continue to work using its own application identity, not the admin's. By contrast, a regular user sign-in would only grant 'delegated' permissions that act as that user — which is not what a server-side bridge needs.

Will the SlackBridge bot appear under Enterprise Applications in our Microsoft 365 admin center?

Yes. After consent is granted, SlackBridge appears in Microsoft 365 Admin Center → Entra ID → Enterprise Applications. From there an admin can review the granted permissions, see audit logs of when the application authenticated, and revoke consent at any time. The application name is 'SlackBridge' (Free / Standard tier) or 'SlackBridge Advanced' (Full Integration tier).

How long is the consent link valid?

Seven days from generation. SlackBridge stores a CSRF-protected state record server-side that ties the link to a specific connection ID, and that state expires after seven days. The longer-than-typical OAuth-state lifetime exists because consent links are routinely shared by email and may sit in an inbox for several days before the admin clicks. If the link expires, regenerate a fresh one from the SlackBridge dashboard.

Can the admin choose which permissions to grant?

No — Microsoft's admin-consent screen is all-or-nothing for the application's declared permissions. SlackBridge addresses this by offering two distinct application registrations, called the Core Bridging tier and the Full Integration tier. Each tier has its own pre-declared permission set (six permissions vs ten). The admin chooses the tier on the SlackBridge dashboard before the consent link is generated, and then consents to that tier's full set on the Microsoft screen. The Core Bridging tier is sufficient to bridge an existing Teams channel; the Full Integration tier is required if you want SlackBridge to create new Teams or install the bot programmatically.

What if the admin clicks Accept on the wrong Microsoft 365 tenant?

The consent link is generated with `prompt=select_account`, which forces Microsoft to display an account picker rather than auto-signing in with whatever account is already in the browser. This is specifically to prevent an admin who is signed into multiple tenants from accidentally consenting against the wrong one. If a wrong-tenant consent is granted, an admin in that wrong tenant can revoke it from Enterprise Applications, and a fresh link can be issued for the correct tenant.

How does the admin revoke consent later?

From the Microsoft 365 admin center: Entra ID → Enterprise Applications → SlackBridge (or SlackBridge Advanced) → Properties → Delete. This removes the application from the tenant and invalidates SlackBridge's tokens for that tenant immediately. As a courtesy, also disconnect the connection from the SlackBridge dashboard so the SlackBridge side stops attempting to refresh tokens against the now-revoked application.

Can SlackBridge upgrade from Core Bridging to Full Integration after the fact?

Yes. The dashboard exposes a re-consent flow that generates a fresh consent link for the higher tier. Because each tier is a separate Entra application registration, an upgrade requires the admin to consent to the second application — the original Core Bridging consent stays in place but becomes redundant. Either or both can be revoked from the admin center after the upgrade is complete.

What does my Microsoft 365 admin need to approve to enable SlackBridge?

TL;DR. Microsoft Teams uses application-level Graph API permissions, which can only be granted by a Microsoft 365 Global Administrator (or Cloud Application Administrator). SlackBridge generates a single sign-in link that takes the admin to Microsoft's standard consent screen at login.microsoftonline.com — the screen lists every permission SlackBridge will receive. Admin clicks Accept once, the consent is recorded against the tenant, and SlackBridge can then bridge messages. The consent link is valid for seven days. SlackBridge never sees the admin's password and never gets delegated user permissions; consent is granted to the SlackBridge application as a whole.

What's the short version?

To enable SlackBridge in a Microsoft 365 tenant, a Microsoft administrator clicks a link, sees Microsoft's standard consent screen, and clicks Accept. The whole flow happens on Microsoft's own login page (login.microsoftonline.com); SlackBridge never sees the admin's password. The decision is made once, by the admin, on behalf of the tenant.

This article walks through what the admin will see, why each step is necessary, and how the tenant retains full control.

Who can grant consent?

Microsoft requires an Entra ID role that includes the "Grant tenant-wide admin consent" permission. The eligible roles are:

Global Administrator (most common)
Privileged Role Administrator
Cloud Application Administrator

A regular user — even one who is the owner of every Microsoft Teams team in the tenant — cannot grant the consent SlackBridge needs. This is a Microsoft restriction, not a SlackBridge one. The reason is that SlackBridge requests application permissions (which act on behalf of the application itself, not on behalf of any user), and only a tenant administrator can authorize an application to act tenant-wide.

If the admin link is opened by a non-administrator, Microsoft will display an error explaining that admin consent is required.

What the admin sees

When the admin clicks the consent link, the browser is sent to a URL of this shape on Microsoft's domain:

https://login.microsoftonline.com/{tenant-or-common}/adminconsent
  ?client_id={SlackBridge-application-ID}
  &redirect_uri={SlackBridge-callback-URL}
  &state={CSRF-protected-token}
  &scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
  &prompt=select_account

After the account picker, Microsoft displays the standard tenant-consent screen, which lists every Microsoft Graph permission the SlackBridge application has declared (six for Core Bridging, ten for Full Integration), the publisher name (Square Post Labs Inc.), the publisher's verified-publisher status, and Accept / Cancel buttons.

The screen is rendered entirely by Microsoft. SlackBridge never sees the admin's password and cannot influence which permissions Microsoft displays beyond the ones already declared on the application registration.

For the exhaustive list of permissions in each tier and what each one is used for, see the permissions article.

Why application permissions, not delegated permissions?

Microsoft Graph offers two permission models:

Model	Acts as	Requires admin consent?	Suitable for SlackBridge?
Delegated	The signed-in user	Sometimes	No — bridge must run when no user is online
Application	The application itself	Always	Yes — bridge runs server-side, 24/7

SlackBridge bridges messages when no human is signed in (overnight, on weekends, immediately after a Teams user posts). It needs to act on its own identity rather than impersonate a user. That requires application permissions, which by Microsoft's design require admin consent.

The corollary is that SlackBridge cannot silently expand its access. Every permission it has was approved by a tenant administrator and is visible in Enterprise Applications.

What gets recorded after consent

When the admin clicks Accept, three things happen on Microsoft's side:

The SlackBridge application is registered in the tenant's Enterprise Applications list.
A service-principal record is created with the granted application permissions.
An admin-consent audit event is written to the Microsoft 365 audit log.

On the SlackBridge side:

The CSRF state token is validated and consumed.
SlackBridge requests an access token from Microsoft using the now-granted application permissions.
The access token is encrypted and stored; the refresh token is similarly encrypted and stored.
A SlackBridge audit-chain event is written recording the consent grant, the tenant ID, and the tier (Core Bridging or Full Integration).

From here on, SlackBridge can subscribe to Microsoft Graph change notifications for the channels you map and bridge messages in both directions.

Revoking consent

The admin retains full control. Consent can be revoked at any time:

Sign in to Microsoft 365 admin center as Global Administrator.
Open Entra ID → Enterprise Applications.
Search for "SlackBridge" (or "SlackBridge Advanced" for the Full Integration tier).
Open Properties → Delete.

Revocation is instant. SlackBridge's stored tokens for that tenant become invalid the moment Microsoft purges the application's service principal, and any in-flight Microsoft Graph requests fail with HTTP 401. As a clean-up step, also remove the connection from the SlackBridge dashboard so the SlackBridge side stops attempting to refresh tokens.

Common questions admins ask before clicking Accept

These come up in security reviews. The full list of permissions, with rationale per permission, lives in the permissions article. The data-handling specifics — what is and is not stored, retention windows, encryption — live in the data retention article. For the security review summary:

SlackBridge does not request Mail, Calendar, Files, Sites, OneDrive, OneNote, or Tasks permissions on Microsoft Graph.
SlackBridge does not request the ability to send messages on behalf of any individual Teams user.
SlackBridge does not request the ability to read direct (1:1 or group) chat messages — only channel messages, and only in the channels you explicitly map.
SlackBridge stores no message body text, only short-lived ID metadata used to keep replies threaded. See the retention article for exact windows.