In today's Microsoft 365 ecosystem, third-party client applications like ShareGate, AvePoint, or Colligo play a vital role in helping organizations migrate, manage, and analyze their SharePoint and Microsoft 365 environments. To do so securely, these tools rely on Azure Active Directory (now Microsoft Entra ID) for authentication and authorization.
However, one common point of confusion is when these applications require admin consent and when they can operate with just user-level permissions.
Let's break this down clearly.
The Foundation: Azure AD Authentication in Enterprises
When any application (internal or third-party) connects to Microsoft 365, it must authenticate via Azure AD (Entra ID) - Microsoft's identity and access management service.
Authentication can happen in two ways:
Delegated Authentication (User-based)
App-only Authentication (Service Principal-based)
Both use secure OAuth 2.0 and OpenID Connect protocols to ensure tokens are issued safely to verified applications.
Delegated Authentication – When Admin Consent Is Not Required
In delegated authentication, a user signs in to the third-party tool using their own Microsoft 365 credentials (for example, through browser login or Windows authentication).
Here's what happens under the hood:
The user grants permission for the app to act on their behalf.
The app receives a delegated token tied to that user's identity.
It can access only the data and sites that the user already has access to.
Example
If a Site Collection Administrator uses ShareGate to migrate one SharePoint site, the tool only accesses that specific site using the user's own permissions.
No admin approval is needed because the app is not requesting global or tenant-level permissions. This is the most common method for site-specific operations or migrations where users already have the required permissions.
App-Only Authentication – When Admin Consent Is Required
For enterprise-wide operations - like tenant-level migrations, reporting, or automation - the third-party tool must operate independently of any user account.
This is done through App-Only Authentication, where:
The tool uses an Azure AD application (Service Principal).
The app requests elevated permissions (for example, Sites.FullControl.All).
These permissions apply across the tenant — not just one user.
Because such permissions could potentially access sensitive data across Microsoft 365, an administrator must grant tenant-wide consent.
Example
When you configure ShareGate for a large migration across all SharePoint sites, the administrator consents to the ShareGate Migration Tool App in Azure AD. Once approved, ShareGate uses that app identity to access resources across the tenant securely.
What "Consent" Really Means
Consent in Azure AD refers to granting permission for an application to access certain Microsoft 365 APIs on behalf of a user or the entire organization.
There are two types
Once consent is given, Azure AD issues tokens to the application for the approved scopes.
ShareGate as a Case Study
ShareGate offers both modes, depending on your use case:
| Mode | Authentication Type | Admin Consent Required? | Scope of Access |
|---|
| Delegated Authentication | User logs in with credentials | No | Limited to user's own permissions |
| App-Only Authentication | App registered in Azure AD (Service Principal) | Yes | Tenant-wide access |
| Hybrid | Combines both modes | Sometimes | Depends on operation type |
In delegated mode, ShareGate can connect using:
In app-only mode, the ShareGate Migration Tool App must first be approved in the tenant's Microsoft Entra ID. This single approval allows secure, organization-wide access during large-scale migrations or reporting operations.
Balancing Security and Productivity
This dual-model approach ensures enterprises maintain strict control and transparency over access.
For routine operations: Delegated Authentication keeps access user-specific and secure.
For automation and large-scale management: App-Only Authentication provides efficiency with administrator oversight.
Microsoft's authentication framework ensures every access token is traceable, auditable, and revocable - protecting organizational data while enabling flexibility.
Conclusion
Enterprise tools like ShareGate, Colligo, and AvePoint use Azure AD-based authentication to securely interact with Microsoft 365.
They support both delegated and app-only models, giving organizations the choice between user-specific access and admin-approved, tenant-wide control.