SOLVED
Home

3rd party applications in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-906832%22%20slang%3D%22en-US%22%3E3rd%20party%20applications%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-906832%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20disabled%20the%20feature%20where%20users%20can%20consent%20to%20third-party%20applications%20accessing%20data%20on%20their%20behalf%20-%20we%20have%20seen%20it%20used%20as%20a%20vector%20for%20phishing%20attacks%20where%20malicious%20documents%20are%20created%20in%20SharePoint%20and%20then%20the%20users%20own%20email%20account%20is%20used%20to%20send%20out%20sharing%20requests.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20result%2C%20people%20are%20now%20asked%20for%20admin%20approval%20when%20attempting%20to%20use%20these%20applications%20-%20the%20behaviour%20described%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Foffice365%2Fadmin%2Fmisc%2Fintegrated-apps%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Foffice365%2Fadmin%2Fmisc%2Fintegrated-apps%3Fview%3Do365-worldwide%3C%2FA%3E.%20Where%20these%20apps%20are%20not%20in%20the%20gallery%2C%20the%20only%20way%20to%20grant%20access%20to%20the%20whole%20tenant%20is%20to%20authorise%20the%20app%20as%20an%20admin%20for%20the%20user%20by%20logging%20in%20for%20them%2C%20and%20then%20locating%20the%20app%20in%20the%20Azure%20AD%20portal%20and%20granting%20admin%20consent%20for%20the%20organisation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20quite%20a%20clunky%20process%2C%20especially%20where%20the%20end%20user%20and%20the%20admin%20are%20not%20located%20in%20the%20same%20office%20or%20timezone.%20I%20can%20see%20the%20attempted%20sign-ins%20in%20the%20portal%20-%20is%20there%20no%20way%20to%20initiate%20an%20app%20approval%20workflow%20from%20here%20once%20the%20application%20ID%20is%20known%3F%20It's%20possible%20I%20am%20approaching%20this%20in%20completely%20the%20wrong%20way%20but%20the%20agent%20who%20picked%20up%20my%20support%20request%20couldn't%20suggest%20a%20better%20approach%20than%20doing%20a%20screen%20share%20with%20an%20affected%20user%20to%20authorise%20the%20application%20either.%20It%20seems%20like%20a%20major%20shortcoming%20in%20the%20service.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-906832%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEnterprise%20Application%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-907096%22%20slang%3D%22en-US%22%3ERe%3A%203rd%20party%20applications%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-907096%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20I%20entirely%20understand%20the%20scenario.%20Do%20you%20really%20want%20to%20consent%20to%20an%20application%20based%20only%20on%20it's%20ID%2C%20without%20even%20checking%20what%20the%20app%20does%2C%20who%20the%20publisher%20is%2C%20etc%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20do%20agree%20that%20the%20process%20can%20be%20tiresome%2C%20but%20that's%20usually%20the%20price%20for%20having%20stricter%20control.%20And%20I%20can%20tell%20you%20that%20Microsoft%20is%20already%20looking%20into%20improving%20this%20scenario%2C%20look%20for%20some%20news%20at%20Ignite.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-907108%22%20slang%3D%22en-US%22%3ERe%3A%203rd%20party%20applications%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-907108%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20scenario%20is%20a%20user%20attempts%20to%20link%20a%203rd%20party%20app%20to%20their%20Azure%20AD%20account%20to%20access%20Office%20365%20data%2C%20and%20they%20receive%20a%20prompt%20telling%20them%20that%20they%20need%20admin%20approval.%20They%20open%20a%20support%20case%20with%20us%2C%20and%20we%20have%20a%20look%20at%20the%20application%20that%20they%20are%20trying%20to%20use%20and%20decide%20that%20it%20is%20suitable%20in%20terms%20of%20what%20it%20does%2C%20where%20the%20company%20is%20located%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20far%20as%20I%20can%20see%2C%20the%20only%20way%20to%20get%20that%20application%20working%20is%20for%20an%20application%20administrator%20to%20sign%20up%20for%20that%20app%20themselves%2C%20approve%20it%2C%20and%20then%20grant%20consent%20for%20the%20entire%20tenant.%20Alternatively%20they%20can%20screen%20share%20onto%20the%20end%20users%20session%20and%20enter%20admin%20credentials%20when%20the%20user%20is%20prompted%20for%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20might%20be%20missing%20something%20but%20it%20seems%20like%20there%20should%20be%20a%20better%20way%20to%20handle%20this.%20I%20only%20mention%20the%20app%20ID%20because%20that's%20where%20we%20can%20see%20the%20login%20failures%20in%20the%20Azure%20AD%20portal%2C%20but%20something%20along%20the%20lines%20of%20a%20%22request%20this%20application%22%20button%20displayed%20to%20the%20user%20that%20then%20provided%20a%20method%20for%20admin%20approval%20in%20the%20portal%20would%20be%20ideal.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-907117%22%20slang%3D%22en-US%22%3ERe%3A%203rd%20party%20applications%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-907117%22%20slang%3D%22en-US%22%3E%3CP%3EYup%2C%20there's%20something%20similar%20in%20the%20works%20as%20I%20hinted%20above%2C%20I%20cannot%20share%20more%20details%20until%20it's%20publicly%20announced.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20shouldn't%20need%20to%20grant%20consent%20to%20the%20entire%20tenant%20though%2C%20you%20can%20just%20assign%20the%20app%20to%20a%20group%20of%20users.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-907123%22%20slang%3D%22en-US%22%3ERe%3A%203rd%20party%20applications%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-907123%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20your%20replies%20here%2C%20I%20will%20keep%20an%20eye%20on%20what%20comes%20out%20of%20Ignite.%20At%20least%20now%20I%20know%20that%20this%20is%20just%20how%20it%20works%20(for%20now)%20I%20can%20stop%20trying%20to%20work%20around%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-980078%22%20slang%3D%22en-US%22%3ERe%3A%203rd%20party%20applications%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-980078%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20anybody%20else%20looking%20for%20the%20same%20answers%20-%20there's%20a%20admin%20consent%20preview%20available%20now%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fconfigure-admin-consent-workflow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fconfigure-admin-consent-workflow%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Jonny Marlborough
Occasional Contributor

We have disabled the feature where users can consent to third-party applications accessing data on their behalf - we have seen it used as a vector for phishing attacks where malicious documents are created in SharePoint and then the users own email account is used to send out sharing requests.

 

As a result, people are now asked for admin approval when attempting to use these applications - the behaviour described here https://docs.microsoft.com/en-gb/office365/admin/misc/integrated-apps?view=o365-worldwide. Where these apps are not in the gallery, the only way to grant access to the whole tenant is to authorise the app as an admin for the user by logging in for them, and then locating the app in the Azure AD portal and granting admin consent for the organisation.

 

This is quite a clunky process, especially where the end user and the admin are not located in the same office or timezone. I can see the attempted sign-ins in the portal - is there no way to initiate an app approval workflow from here once the application ID is known? It's possible I am approaching this in completely the wrong way but the agent who picked up my support request couldn't suggest a better approach than doing a screen share with an affected user to authorise the application either. It seems like a major shortcoming in the service.

5 Replies

Not sure I entirely understand the scenario. Do you really want to consent to an application based only on it's ID, without even checking what the app does, who the publisher is, etc?

 

I do agree that the process can be tiresome, but that's usually the price for having stricter control. And I can tell you that Microsoft is already looking into improving this scenario, look for some news at Ignite.

The scenario is a user attempts to link a 3rd party app to their Azure AD account to access Office 365 data, and they receive a prompt telling them that they need admin approval. They open a support case with us, and we have a look at the application that they are trying to use and decide that it is suitable in terms of what it does, where the company is located etc.

 

As far as I can see, the only way to get that application working is for an application administrator to sign up for that app themselves, approve it, and then grant consent for the entire tenant. Alternatively they can screen share onto the end users session and enter admin credentials when the user is prompted for them.

 

I might be missing something but it seems like there should be a better way to handle this. I only mention the app ID because that's where we can see the login failures in the Azure AD portal, but something along the lines of a "request this application" button displayed to the user that then provided a method for admin approval in the portal would be ideal.

Solution

Yup, there's something similar in the works as I hinted above, I cannot share more details until it's publicly announced.

 

You shouldn't need to grant consent to the entire tenant though, you can just assign the app to a group of users. 

Thank you for your replies here, I will keep an eye on what comes out of Ignite. At least now I know that this is just how it works (for now) I can stop trying to work around it.

For anybody else looking for the same answers - there's a admin consent preview available now

 

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies