From my frontend application, when I request an access token I pass two scopes that need to be returned with the token.
I did not grant the application these consent in the Azure Portal. Instead the user has to explicitely give consent from the popup window.
Once the user has granted consent, I get the access token with the required scopes.
But how do I revoke consent from the Azure Portal ? And how can I see which user has granted consent ?
You can go to Enterprise Applications -> Find your app -> Permissions tab -> User consent tab.
There you can see which permissions users have consented to, for example:
You can then click Review permissions -> This app has more permissions than I want.
This will give you a PowerShell script that you can run to remove all user consent for that app. It can of course be customized to only remove certain permissions.
Currently there is no UI features to remove consented permissions, PowerShell/Graph API is the only way.
Related
Does anyone knows how to fix this, on my case no problem with login however, there are users who can't log in need admin permissions we are in the same tenant.
this is the screenshot of login needs admin approval
You can access the Xamarin app without admin consent because you have the admin consent enabled for you or you may be the administrator for that application/tenant. Thus, for the other users in your tenant to allow access to the Xamarin application, please follow the steps below: -
Go to your Azure AD --> Enterprise Applications --> User settings --> Admin consent requests --> Users can request admin consent to apps they are unable to consent to --> Yes
Then under the section ‘Who can review admin consent requests’, select the users and groups who can review the admin consent for the application (you can select the users themselves if you want them to access without actual/designated admin consent) and set the number of days for which the consent would remain valid and then it expires. Thus, this will ensure that users in your tenant will not receive the admin consent prompt while accessing the application.
Also, ensure that the option ‘Allow user consent for apps’ in User consent settings in Consent and permissions section in Enterprise Applications is selected for admin consent to permanently remove for all applications in your tenant. Please find the below screenshots for your reference: -
I have a question regarding a multi-tenant App Registration in Azure AD. The first time a user logs in through the app it will ask him to grant his consent to access some of his data if necessary or ask an administrator to grant a tenant level consent. This is just fine.
But what if a change is made to the App Registration (Logout URL modified for example)? Is it possible that the users that never used the app registration already will need to grant their consent or that a tenant administrator might need to give his consent again?
Changing your redirect URLs or logout URL will not cause the consent to be prompted for again.
Changing the configured permissions also won't cause users who have already granted consent to have to grant consent again (but the app will only have the permissions it had been originally granted).
Users will only be prompted for consent in the following situations:
If your application dynamically requests a permissions which has not been granted (e.g. scope=https://graph.microsoft.com/Mail.Read, if Mail.Read has not been granted.
If your application requests access to ".default" for a resource, and no permissions have been granted for that resource. For example, if you application requests scope=https://graph.microsoft.com/.default and no delegated permissions for Microsoft Graph have been granted, the user will be prompted for consent (for all permissions configured in the app registration). If any permission for the requested resource have been granted, the user will not be prompted for consent.
If your application forces user consent using prompt=consent. Don't do this—there is almost no situation where this is necessary. (Read a lot more on this at https://stackoverflow.com/a/60151790/325697.)
Yes. If you modify properties such as redirect url, permissions, logout url and so on, you have to make admins from other tenant do the admin consent again to make it effective.
Using admin consent url is the quickest way:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
I am going to consent only specific admin permissions in graph api.
But it requests all tenant permissions.
Current logic is
Get delegated token by authorization.
https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize?client_id={CLIENT_ID}&response_type=token&redirect_uri={LOGIN_REDIRECT_URI}&response_mode=form_post&scope=offline_access https://graph.microsoft.com/.default
Prompt admin consent
https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id={CLIENT_ID}&redirect_uri=http://localhost/team-members/getAppToken&scope=https://graph.microsoft.com/calendars.readwrite
Get application token
https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token?scope=https://graph.microsoft.com/calendars.readwrite
In this logic, admin consent is always asked all permissions in 2), but I want to ask only the permission Calendars.ReadWrite.
How to ask to consent for a specific permissions?
This is related to your permission type. If your permission is a delegated permission, you can dynamically agree to a specific delegated permission on the administrator consent page: scope=https://graph.microsoft.com/calendars.readwrite.
If your permissions are application permissions, you can only request the static /.default scope, which will require the administrator to consent to all permissions in the tenant: scope=https://graph.microsoft.com/.default.
See the document, there are detailed instructions:
At this point, Azure AD requires a tenant administrator to sign in to
complete the request. The administrator is asked to approve all the
permissions that you have requested in the scope parameter. If you've
used a static (/.default) value, it will function like the v1.0 admin
consent endpoint and request consent for all scopes found in the
required permissions (both user and app). In order to request app
permissions, you must use the /.default value. If you don't want
admins to see a given permission in the admin consent screen all the
time when you use /.default, the best practice is to not put the
permission in the required permissions section. Instead you can use
dynamic consent to add the permissions you want to be in the consent
screen at run time, rather than using /.default.
If you login to Azure portal and find your application
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
Click on API Permissions tab
You will see all configured permissions for Microsoft Graph API.
Ensure that there is only Calendars.ReadWrite by removing all redundant permissions.
As you see my new registered app registration it's an app that only requires users to login.
Anything beyond the minimal requirements to work. I don't configured it to request any special sort of permission
When i Try lo login this message appears
"Application needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it"
Why? The permissions the app is requesting are just basic ones . I don't understand why an admin consent is required.
Many thanks
There are two possible reasons why users can't consent to User.Read:
User consent is disabled or restricted. Each customer can choose to disable or limit user consent to applications. In a tenant where user consent is disabled, for example, users can't consent to any permission.
Azure AD > Enterprise apps > User settings > Users can consent to apps...
The app requires assignment. When an application is configured to require assignment for users to be able to sign in, users are not allowed to consent to that application.
Azure AD > Enterprise apps > (select app) > Properties > User assignment required?
Most possible reasons for any administrator consented issue,
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Possible Solutions,
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.
Please refer admin consent endpoint for more details.
Using Azure Active Directory in a multi-tenant environment.
Admin has given consent to the application for all users to log on.
Users have been restricted from consenting.
After admin has given consent users are still not able to log on and receive the "AADSTS90093: Does not have access to consent." error.
The way in which you did admin consent was probably erroneous or you were not signed into an admin account. Try out one of these two ways:
Inside the Azure Portal, login to an admin account, go to the App Registration blade, select your app, and hit the Grant Permissions button.
Construct a new auth request and append on &prompt=admin_consent.
This error is caused when your app is requesting an admin-restricted scope. These are scopes that require an admin to consent on behalf of their users.