Consent flow for application permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-218994%22%20slang%3D%22en-US%22%3EConsent%20flow%20for%20application%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218994%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20AAD%20secured%20api%20and%20I%20need%20to%20grant%20a%20client%20application%20access%20to%20this%20api%20(without%20any%20user%20context).%26nbsp%3B%20%3CSPAN%3EI%20have%20added%20a%20approle%20with%20%22allowedMemberTypes%22%3A%20%5B%22Application%22%20%5D%20to%20the%20manifest%20of%20my%20api.%20The%20client%20has%20requested%20permission%20to%20my%20api%20but%20from%20what%20I%20am%20reading%20online%20only%20a%20tenant%20admin%20can%20grant%20this%20permission(being%20owner%20on%20the%20api%20is%20not%20sufficient).%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWhat%20is%20the%20recommended%20way%20of%20implementing%20active%20directory%20authentication%20in%20such%20a%20scenario%20without%20needing%20tenant%20admin%20intervention%3F%20The%20api%20simply%20needs%20to%20grant%20access%20to%20a%20set%20of%20client%20service%20principals%20(no%20user%20context%20involved).%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-218994%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-219496%22%20slang%3D%22en-US%22%3ERe%3A%20Consent%20flow%20for%20application%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-219496%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Esha%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConsent%20works%20on%20the%20basis%20of%20api%2C%20that%20an%20application%20is%20accessing.%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20your%20api%20is%20accessing%20the%20basic%20information%20of%20any%20entity%20like%20user%20then%20the%20user%20context%20will%20work.%3C%2FP%3E%3CP%3EIf%20your%20api%20is%20accessing%20a%20protected%20resource%20that%20needs%20global%20admin%20consent%20the%20application%20will%20not%20be%20able%20to%20access%20with%20the%20consent%20of%20the%20global%20admin%20for%20the%20directory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20in%20these%20cases%20we%20end%20up%20a%20situation%20wherein%20a%20global%20admin%20has%20to%20consent%20the%20application%20for%20the%20entire%20directory%20using%20%22prompt%3Dadmin_consent%22%20parameter.%3C%2FP%3E%3CP%3Echeck%20the%20below%20mentioned%20article%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-devhowto-multi-tenant-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-devhowto-multi-tenant-overview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20be%20one-time%20consent%20approval%20that%20will%20be%20done%20by%20GA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

I have a AAD secured api and I need to grant a client application access to this api (without any user context).  I have added a approle with "allowedMemberTypes": ["Application" ] to the manifest of my api. The client has requested permission to my api but from what I am reading online only a tenant admin can grant this permission(being owner on the api is not sufficient). 

What is the recommended way of implementing active directory authentication in such a scenario without needing tenant admin intervention? The api simply needs to grant access to a set of client service principals (no user context involved).

1 Reply
Highlighted

Hello Esha,

 

Consent works on the basis of api, that an application is accessing. 

If your api is accessing the basic information of any entity like user then the user context will work.

If your api is accessing a protected resource that needs global admin consent the application will not be able to access with the consent of the global admin for the directory.

 

Now in these cases we end up a situation wherein a global admin has to consent the application for the entire directory using "prompt=admin_consent" parameter.

check the below mentioned article

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tena...

 

This will be one-time consent approval that will be done by GA.

 

 

Regards,

Rishabh