Home

Consent flow for application permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-218994%22%20slang%3D%22en-US%22%3EConsent%20flow%20for%20application%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218994%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20AAD%20secured%20api%20and%20I%20need%20to%20grant%20a%20client%20application%20access%20to%20this%20api%20(without%20any%20user%20context).%26nbsp%3B%20%3CSPAN%3EI%20have%20added%20a%20approle%20with%20%22allowedMemberTypes%22%3A%20%5B%22Application%22%20%5D%20to%20the%20manifest%20of%20my%20api.%20The%20client%20has%20requested%20permission%20to%20my%20api%20but%20from%20what%20I%20am%20reading%20online%20only%20a%20tenant%20admin%20can%20grant%20this%20permission(being%20owner%20on%20the%20api%20is%20not%20sufficient).%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWhat%20is%20the%20recommended%20way%20of%20implementing%20active%20directory%20authentication%20in%20such%20a%20scenario%20without%20needing%20tenant%20admin%20intervention%3F%20The%20api%20simply%20needs%20to%20grant%20access%20to%20a%20set%20of%20client%20service%20principals%20(no%20user%20context%20involved).%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-218994%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-219496%22%20slang%3D%22en-US%22%3ERe%3A%20Consent%20flow%20for%20application%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-219496%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Esha%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConsent%20works%20on%20the%20basis%20of%20api%2C%20that%20an%20application%20is%20accessing.%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20your%20api%20is%20accessing%20the%20basic%20information%20of%20any%20entity%20like%20user%20then%20the%20user%20context%20will%20work.%3C%2FP%3E%3CP%3EIf%20your%20api%20is%20accessing%20a%20protected%20resource%20that%20needs%20global%20admin%20consent%20the%20application%20will%20not%20be%20able%20to%20access%20with%20the%20consent%20of%20the%20global%20admin%20for%20the%20directory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20in%20these%20cases%20we%20end%20up%20a%20situation%20wherein%20a%20global%20admin%20has%20to%20consent%20the%20application%20for%20the%20entire%20directory%20using%20%22prompt%3Dadmin_consent%22%20parameter.%3C%2FP%3E%3CP%3Echeck%20the%20below%20mentioned%20article%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-devhowto-multi-tenant-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-devhowto-multi-tenant-overview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20be%20one-time%20consent%20approval%20that%20will%20be%20done%20by%20GA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Esha Omprakash Bharadwaj
Microsoft

I have a AAD secured api and I need to grant a client application access to this api (without any user context).  I have added a approle with "allowedMemberTypes": ["Application" ] to the manifest of my api. The client has requested permission to my api but from what I am reading online only a tenant admin can grant this permission(being owner on the api is not sufficient). 

What is the recommended way of implementing active directory authentication in such a scenario without needing tenant admin intervention? The api simply needs to grant access to a set of client service principals (no user context involved).

1 Reply

Hello Esha,

 

Consent works on the basis of api, that an application is accessing. 

If your api is accessing the basic information of any entity like user then the user context will work.

If your api is accessing a protected resource that needs global admin consent the application will not be able to access with the consent of the global admin for the directory.

 

Now in these cases we end up a situation wherein a global admin has to consent the application for the entire directory using "prompt=admin_consent" parameter.

check the below mentioned article

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tena...

 

This will be one-time consent approval that will be done by GA.

 

 

Regards,

Rishabh

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies