Azure application consent is a way users can authorize applications to access their information and data to perform a specific job. The default setting of this application consent allows users to permit the application to access data requested by the application while asking for consent. So technically, it'll create a service principal in Azure AD to provide OAuth token to the application that will, in turn, allow the application to access data based on permission approved by users.
However, the downside is that malicious applications can request greater permission than required and potentially steal critical information or confidential data. It even poses a greater risk to organizations that don't have data loss prevention policies to track usage of their confidential or critical data.
Hence, it is recommended to keep this setting as restricted as possible, possibly set it to admin consent, however, you can still set it to allow users to consent verified providers in case your organization doesn't want to impact user experience as recommended by Microsoft.
Change Enterprise Application -->User setting
-- Change setting highlighted in red as follow to change it to admin consent (Most Restrictive)
- User can consent to apps accessing company data on their behalf No
- User can consent to apps accessing company data for the groups they own No
- User can request admin consent to apps they are unable to consent to Yes
- Add users, groups, or roles that will be responsible to review as highlighted in Reviewer type
Change enterprise application -->onsent and Permissions --> User consent settings
-- Change setting highlighted in red as follow to change it to admin consent
- User consent for applications to Do not allow user consent
- Group Owner consent for apps accessing data to Don not allow group owner consent
