So i have an AAD app that requests a number of permissions. I have delegate permissions and application permission.
I want all my customer to use the same app but then admins should be able decide which permissions they would prefer to allow.
So for instance I have Calendar.Read and Calendar.ReadWrite application-permission requests on my app. Some admins will only like to consent to Calendar.Read.
Is this even possible? As per this documentation
I tried having the customer admin consent to only Calendar.Read using
// Line breaks are for legibility only.
GET https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope= https://graph.microsoft.com/calendars.read
I can see in the customers enterprise applications that that Calendar.Read is permitted under Admin consent tab. Unfortunately its registered of type Delegate. I need the permission to be of type Application. How do I do this?
As expected when i try to get client credentials token, the token has no permissions so i cannot use the token to make any calls. What am i missing here?
There are settings which admins can choose for enabling the admin consent workflow and choose reviewers:
Admin Consent
Please refer this DOC
For configuring the user content please refer this DOC
I have a question regarding a multi-tenant App Registration in Azure AD. The first time a user logs in through the app it will ask him to grant his consent to access some of his data if necessary or ask an administrator to grant a tenant level consent. This is just fine.
But what if a change is made to the App Registration (Logout URL modified for example)? Is it possible that the users that never used the app registration already will need to grant their consent or that a tenant administrator might need to give his consent again?
Changing your redirect URLs or logout URL will not cause the consent to be prompted for again.
Changing the configured permissions also won't cause users who have already granted consent to have to grant consent again (but the app will only have the permissions it had been originally granted).
Users will only be prompted for consent in the following situations:
If your application dynamically requests a permissions which has not been granted (e.g. scope=https://graph.microsoft.com/Mail.Read, if Mail.Read has not been granted.
If your application requests access to ".default" for a resource, and no permissions have been granted for that resource. For example, if you application requests scope=https://graph.microsoft.com/.default and no delegated permissions for Microsoft Graph have been granted, the user will be prompted for consent (for all permissions configured in the app registration). If any permission for the requested resource have been granted, the user will not be prompted for consent.
If your application forces user consent using prompt=consent. Don't do this—there is almost no situation where this is necessary. (Read a lot more on this at https://stackoverflow.com/a/60151790/325697.)
Yes. If you modify properties such as redirect url, permissions, logout url and so on, you have to make admins from other tenant do the admin consent again to make it effective.
Using admin consent url is the quickest way:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
From my frontend application, when I request an access token I pass two scopes that need to be returned with the token.
I did not grant the application these consent in the Azure Portal. Instead the user has to explicitely give consent from the popup window.
Once the user has granted consent, I get the access token with the required scopes.
But how do I revoke consent from the Azure Portal ? And how can I see which user has granted consent ?
You can go to Enterprise Applications -> Find your app -> Permissions tab -> User consent tab.
There you can see which permissions users have consented to, for example:
You can then click Review permissions -> This app has more permissions than I want.
This will give you a PowerShell script that you can run to remove all user consent for that app. It can of course be customized to only remove certain permissions.
Currently there is no UI features to remove consented permissions, PowerShell/Graph API is the only way.
As you see my new registered app registration it's an app that only requires users to login.
Anything beyond the minimal requirements to work. I don't configured it to request any special sort of permission
When i Try lo login this message appears
"Application needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it"
Why? The permissions the app is requesting are just basic ones . I don't understand why an admin consent is required.
Many thanks
There are two possible reasons why users can't consent to User.Read:
User consent is disabled or restricted. Each customer can choose to disable or limit user consent to applications. In a tenant where user consent is disabled, for example, users can't consent to any permission.
Azure AD > Enterprise apps > User settings > Users can consent to apps...
The app requires assignment. When an application is configured to require assignment for users to be able to sign in, users are not allowed to consent to that application.
Azure AD > Enterprise apps > (select app) > Properties > User assignment required?
Most possible reasons for any administrator consented issue,
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Possible Solutions,
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.
Please refer admin consent endpoint for more details.
In my application in Azure Active Directory I have added one of the Admin's consent required permission to the Graph API, let say Group.Read.All. I've clicked Grant Admin Consent for .... If I hit /authorize endpoint as a User with the query parameter prompt=consent, I'll get the view that I need admin approval. If I hit the endpoint without any prompt parameter, everything works fine - I'm able to get a token with a proper scope. In the documentation I've read that prompt parameter determines only the visibility of the consent. Why it works like that?
Regarding prompt=consent, OpenID Connect says:
The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.
In the Microsoft Identity platform, this means that the end user will be required to provide consent, even if consent has been granted previously by the user or (in the case of work or school accounts, by an administrator on behalf of the user).
If the user is not authorized to consent to the requested permissions (e.g. because user consent is disabled or restricted), using prompt=consent will always result in a hard block for the user.
In most cases, using prompt=consent is not the best approach. There are typically three scenarios prompt=consent is considered:
You've changed the required permissions. The required permissions have changed (e.g. permissions have been added or removed), and the user needs to consent to the new set of permissions.
You want to inform the user. The app developer wishes to ensure the user is informed of which permissions the app will be authorized to exercise (even if an administrator has already consented on behalf of the user in question).
You require consent from the user themselves, not an admin. The app developer wishes to ensure the end-user themselves provides consent, independent of what an administrator may have authorized previously.
If you've changed which permissions are required
When the requested permissions are defined dynamically
On the v2.0 endpoint, the scope parameter can be used to dynamically request a list of delegated permissions. For example, to request the read and export delegated permissions of the API identified by https://api.example.com:
scope=openid https://api.example.com/read
Azure AD will ensure that all the requested permissions have been granted, and attempt to prompt for consent for any permissions which have not yet been granted (and only for those). If the requested permissions have all been granted, the issued token will include all granted permissions (even if they were not specifically requested).
Generally speaking, when making use of the incremental consent capability of the v2.0 endpoint, prompt=consent should not be used. Azure AD will take care of prompting for incremental consent if needed.
When the requested permissions are defined statically
An app can also identify only the resource (i.e. the API) for which it is requesting an access token, the specific permissions being defined statically for the app. Using the v2.0 endpoint, this is done in the scope parameter, making use of the special .default permission value:
scope=openid https://api.example.com/.default
In the v1.0 endpoint, this was achieved using the resource parameter:
resource=https://api.example.com
The list of required permissions is configured in a static list on the app registration. In the Azure portal, this list is under Configured permissions in Azure AD > App registrations > API permissions. In the unerlying Application entity in Microsoft Graph (and in the app manifest), this is stoerd in the requiredResourceAccess property.
On receiving a request of this type (on either the v1 or v2 endpoint), Azure AD will check which permissions have been granted for the requested resource:
If no delegated permissions have been granted for the requested resource OR if prompt=consent is used, Azure AD will attempt to prompt for all the required permissions from the statically-defined list. This will include permissions for other APIs, if any are configured.
If any delegated permission has been granted for the requested resource, Azure AD will issue the token with all granted permissions. The scopes parameter of the response will include the list of permissions included in the access token.
Applications relying on statically-defined required permissions (i.e. /.default on v2 or resource on v1) should not use prompt=consent for every sign-in request. Instead, the application should:
Perform a sign in without prompt=consent.
Check the scope parameter of the response:
If the desired permissions are listed, no further action is necessary.
If not (e.g. if a new permission was added to the list of required permissions after the user initially consented to the app), only then should the user be sent back again, this time with prompt=consent.
This strategy ensures that users can sign in to an app when an administrator has consented on their behalf (e.g. because they aren't authorized to consent on their own), and only forces the consent prompt (or an escalation to an admin to consent on their behalf) when a new permission has been configured.
If you want to inform the user
Using prompt=consent is not a good approach if the goal is to only inform the user of which permissions the application has been authorized to exercise (either by the user previously, or by an administrator on the user's behalf).
Instead, an application can use the scope parameter of the token response to construct the desired interrupt experience (e.g. after the user has been redirected back to the app and the token has been retrieved, but before continuing), informing the user of which permissions it has been granted.
If you require consent by the user, not an admin
There may exist very specific cases when an application requires user consent for the requested permissions, and wishes to not accept consent granted on behalf of the user by an administrator.
In this case, using prompt=consent in all sign-ins could be used, but there are important caveats to consider:
In many organizations, user consent is disabled or restricted. If users are not authorized to consent to the permissions configured for your app, they will not be able to use your application.
The user will be prompted for consent every single sign-in, even if the user themselves already previously granted consent.
Since this is a query parameter, a knowledgeable user could very easily intercept the request before it is made, and remove prompt=consent (and if consent was already previously granted, they will not be prompted for consent).
In this case, it may be better the app to implement a separate consent-granting experience after the user has signed in (similar to the "inform" scenario described earlier), separating the app's additional consent requirements from the consent experience provided by the Microsoft identity platform.
prompt=consent triggers the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.
Individuals accessing an app that requires at least one permission that is outside their scope of authority.
Admins will see the same prompt show the permission and will see an additional control on the traditional consent prompt that will allow them consent on behalf of the entire tenant.
Users will be blocked from granting consent to the application, and they will be told to ask their admin for access to the app.
For more details, you could refer to this article.