Forum Discussion

Esha Omprakash Bharadwaj's avatar
Jul 25, 2018

Consent flow for application permissions

I have a AAD secured api and I need to grant a client application access to this api (without any user context).  I have added a approle with "allowedMemberTypes": ["Application" ] to the manifest of my api. The client has requested permission to my api but from what I am reading online only a tenant admin can grant this permission(being owner on the api is not sufficient). 

What is the recommended way of implementing active directory authentication in such a scenario without needing tenant admin intervention? The api simply needs to grant access to a set of client service principals (no user context involved).

  • Hello Esha,

     

    Consent works on the basis of api, that an application is accessing. 

    If your api is accessing the basic information of any entity like user then the user context will work.

    If your api is accessing a protected resource that needs global admin consent the application will not be able to access with the consent of the global admin for the directory.

     

    Now in these cases we end up a situation wherein a global admin has to consent the application for the entire directory using "prompt=admin_consent" parameter.

    check the below mentioned article

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview

     

    This will be one-time consent approval that will be done by GA.

     

     

    Regards,

    Rishabh

     

Resources