Grant admin consent (AD grants)
This is the single most important step for a popup-free experience.
Icon Map signs in each user with their Microsoft Entra (Azure AD) identity and, on their behalf, reads their Fabric and OneLake data. To do that it requests a set of delegated permissions. If those permissions haven't been consented to at the tenant level, each user is prompted to consent the first time a feature needs them — the "permissions requested" popup. Granting tenant-wide admin consent once removes those prompts for everyone.
Consent is delegated — Icon Map acts as the signed-in user and can only ever reach data that user is already allowed to see. Admin consent doesn't grant Icon Map standalone access to your data; it just pre-approves the permissions so individual users aren't asked.
Who does this
A Global Administrator or Privileged Role Administrator in Microsoft Entra.
What you're consenting to
Icon Map's application requests these delegated permissions. They map directly to the product features that read your data:
| Permission | Used for |
|---|---|
| Sign in and read the user's profile (Microsoft Graph) | Authenticating the user. |
| Access your OneLake storage as you (Azure Storage) | Reading and writing your OneLake files — tiles, imagery, published maps, write-back, WMS/GTFS proxying. |
| Read and write Fabric items and workspaces you can access (Fabric / Power BI service) | Listing workspaces, opening and saving the Icon Map item, and reading Lakehouse data. |
| Query Eventhouse / KQL databases (Azure Data Explorer) | Running KQL queries for Eventhouse sources. |
| Read Power BI semantic models and run queries (Power BI service) | Semantic-model sources and DAX queries (row-level security enforced by the model). |
| Microsoft Planetary Computer (optional) | Only requested if you add a Planetary Computer imagery layer. |
Every one of these is delegated (acts as the user) — there is no app-only data access in the authoring experience.
How to grant consent
You can grant consent in either of two ways.
Option A — admin-consent URL (recommended)
Open the following URL, signed in as a Global/Privileged Role Administrator, replacing the placeholders:
https://login.microsoftonline.com/{your-tenant-id}/adminconsent?client_id={icon-map-application-id}
{your-tenant-id}— your Entra tenant ID (a GUID).{icon-map-application-id}— the application (client) ID of the Icon Map app, named Tekantis.IconMap. Your onboarding contact provides this; after the workload is enabled you can also find it under Entra ID → Enterprise applications.
Review the permissions and choose Accept to consent for your whole organization.
Option B — Enterprise applications
- In the Microsoft Entra admin center, go to Enterprise applications.
- Find Tekantis.IconMap (it appears after the workload is enabled or after a first sign-in).
- Open Permissions and choose Grant admin consent for <your organization>.
Other Icon Map applications
The consent above covers the Fabric workload. Icon Map deliberately uses separate Entra applications per product surface, each with the minimum permissions for its job, so you only consent to what you deploy:
- Icon Map Desktop — a dedicated application used by the desktop app's sign-in (OneLake storage access, plus Fabric workspace read and item read/write for browsing and deploying maps). Consent it the same way if you roll out the desktop app; purely local use needs no sign-in at all.
- Icon Map QGIS Connector — a dedicated application used by the QGIS plugin (OneLake storage access, plus Fabric/Power BI read and item create/update for the browse and create-map modes). The plugin includes an admin-consent helper; without admin consent, a reduced mode lets users publish by pasting workspace and item IDs using only the user-consentable OneLake permission.
- Tekantis.IconMap-Backend — the published-map reader service principal. It has no sign-in permissions to consent; instead your admin grants it Contributor on each publishing workspace (see Set up publishing).
The application (client) IDs are provided by your onboarding contact. The full application-by-application permission table is in the security whitepaper.
After granting
- Allow 10–30 minutes for consent to propagate.
- New users should now open Icon Map and use its features without a consent prompt.
- If a specific feature (for example, KQL or semantic-model sources) still prompts, confirm that permission was included in the consent — see Browser & network for other popup causes.
Next steps
- Enable tenant settings — the settings that allow this data access.
- Browser & network — other causes of prompts.