Forum Discussion
3rd party applications in Azure AD
Yup, there's something similar in the works as I hinted above, I cannot share more details until it's publicly announced.
You shouldn't need to grant consent to the entire tenant though, you can just assign the app to a group of users.
The scenario is a user attempts to link a 3rd party app to their Azure AD account to access Office 365 data, and they receive a prompt telling them that they need admin approval. They open a support case with us, and we have a look at the application that they are trying to use and decide that it is suitable in terms of what it does, where the company is located etc.
As far as I can see, the only way to get that application working is for an application administrator to sign up for that app themselves, approve it, and then grant consent for the entire tenant. Alternatively they can screen share onto the end users session and enter admin credentials when the user is prompted for them.
I might be missing something but it seems like there should be a better way to handle this. I only mention the app ID because that's where we can see the login failures in the Azure AD portal, but something along the lines of a "request this application" button displayed to the user that then provided a method for admin approval in the portal would be ideal.
Yup, there's something similar in the works as I hinted above, I cannot share more details until it's publicly announced.
You shouldn't need to grant consent to the entire tenant though, you can just assign the app to a group of users.
VasilMichev Can you touch on what was the workaround released in that ignite?
Thank you for your replies here, I will keep an eye on what comes out of Ignite. At least now I know that this is just how it works (for now) I can stop trying to work around it.
For anybody else looking for the same answers - there's a admin consent preview available now
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
Admin consent workflow is live now. We can block the users consent to apps and enable admin consent workflow to securely approve the app consent requests.
Also, if we have any existing unnecessary applications, we can review those app permissions and remove them completely to eliminate the unwanted security risks.
