Azure AD app role assignment - consent grant

%3CLINGO-SUB%20id%3D%22lingo-sub-3115203%22%20slang%3D%22en-US%22%3EAzure%20AD%20app%20role%20assignment%20-%20consent%20grant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3115203%22%20slang%3D%22en-US%22%3E%3CP%3EWhy%20does%20Azure%20AD%20not%20prompt%20the%20application%20owner's%20consent%20when%20one%20of%20it's%20exposed%20role%20is%20assigned%20to%20a%20client%20application%20(API%20permissions)%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInside%20an%20organization%2C%20there%20could%20be%20a%20variety%20of%20teams%20sharing%20the%20same%20tenant.%20Each%20application%20team%20may%20register%20on%20Azure%20AD%20as%20services%20and%20expose%20their%20permissions%20as%20roles.%20When%20a%20client%20app%20is%20setup%20and%20the%20role%20assignments%20are%20made%20to%20the%20client%20app%2C%20I%20see%20generally%20admin%20consent%20is%20prompted%20(if%20configured).%20However%2C%20why%20does%20Azure%20not%20request%20the%20service%20provider%20app's%20owner%20to%20accept%20if%20the%20role%20assignment%20is%20valid%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20understand%20this%20could%20be%20a%20headache%20in%20a%20dynamic%20environment.%20But%20in%20large%20organizations%2C%20the%20Admin%20team%20may%20not%20be%20fully%20aware%20and%20may%20consent%20to%20the%20role%20assignment%20always.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3115203%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%20(AAD)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Why does Azure AD not prompt the application owner's consent when one of it's exposed role is assigned to a client application (API permissions)? 

 

Inside an organization, there could be many application teams sharing the same tenant. Each application team may register on Azure AD as services and expose their permissions as roles. When a client app is setup and the role assignments are made to the client app, I see generally admin consent is prompted (if configured). However, why does Azure not request the service provider app's owner to accept if the role assignment is valid? 

 

I do understand this could be a headache in a dynamic environment. But in large organizations, the Admin team may not be fully aware and may consent to the role assignment always. 

2 Replies
As the app owner/dev, you can check whether the required permissions/roles are assigned by examining the access token. The decision on granting such within the local directory is always left to the global admin. Think of multi-tenant scenarios, there is no practical way for app owner to approve such within other organization's tenant.

@Vasil Michev I agree this may not be possible in a multi-tenant setup. But my scenario is specific to a single tenant. Inspecting the incoming request's token is a very late as the app already managed to get the assignments done on its own without the knowledge of the app owner. 

Wondering if it would be a good to have feature though.