Grant user consent for the delegated Graph API permissions without the UI flow

%3CLINGO-SUB%20id%3D%22lingo-sub-3301986%22%20slang%3D%22en-US%22%3EGrant%20user%20consent%20for%20the%20delegated%20Graph%20API%20permissions%20without%20the%20UI%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3301986%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20two%20types%20of%20the%20Graph%20API%20permissions%20we%20can%20grant%20for%20an%20AD%20application.%3C%2FP%3E%3CP%3E1.%20Application%20permissions%3C%2FP%3E%3CP%3E2.%20User%20Delegated%20permissions%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EFor%20the%20application%20permissions%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EAAD%20portal%20provides%20UI%20to%20Grand%20the%20Admin%20consent%3A%3C%2FP%3E%3CDIV%20class%3D%22%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22grant-tenant-wide-admin-consent.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F369024i6BE3DC8F2CBC0197%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22grant-tenant-wide-admin-consent.png%22%20alt%3D%22grant-tenant-wide-admin-consent.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EFor%20the%20user%20delegated%20permissions%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EFor%20the%20delegated%20permissions%20to%20provide%20the%20consent%2C%20user%20need%20to%20login%20to%20the%20application%20requires%20the%20access%20and%20using%20the%20UI%20flow%20grant%20the%20permissions.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22user_delegated.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F369025i0784F02AE83C640D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22user_delegated.png%22%20alt%3D%22user_delegated.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20possible%20for%20the%20application%20which%20has%20the%20web%20UI%2C%20but%20for%20the%20backend%20without%20any%20UI%20this%20is%20not%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EQuestions%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E1.%20Can%20we%20avoid%20the%20UI%20flow%20for%20granting%20the%20consent%20for%20the%20user%20delegated%20permissions%3F%20%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Is%20there%20a%20way%20we%20can%20grant%20consent%20for%20the%20user%20delegated%20permissions%20from%20the%20Azure%20AD%20portal%20like%20we%20do%20for%20the%20Admin%20consent%3F%3C%2FP%3E%3CP%3E3.%20If%20it%20is%20not%20supported%20from%20the%20AD%20portal%2C%20is%20there%20a%20Graph%20APIs%20to%20grant%20the%20permissions%3F%3C%2FP%3E%3CP%3E4.%20If%20it%20is%20supported%20by%20the%20Graph%20APIs%20links%20to%20the%20documentation%2Fexample%20will%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3301986%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EActive%20Directory%20(AD)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EApps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%20(AAD)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3302101%22%20slang%3D%22en-US%22%3ERe%3A%20Grant%20user%20consent%20for%20the%20delegated%20Graph%20API%20permissions%20without%20the%20UI%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3302101%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1336790%22%20target%3D%22_blank%22%3E%40Pradeep_Patil%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConsent%20should%20never%20be%20fully-automatable%20in%20any%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECompliance%2C%20as%20a%20key%20component%20of%20good%20governance%2C%20should%20be%20auditable%20and%20approvers%20should%20be%20accountable.%20Full%20automation%20of%20such%20a%20key%20concept%20would%20take%20us%20backwards%2010%2B%20years%20in%20the%20technology%20systems%20space%2C%20and%20from%20a%20commercial%20perspective%2C%20we'd%20be%20grilled%20by%20risk-aware%20business%20stakeholders%2C%20insurers%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20wondering%20what%20the%20problem%20you're%20trying%20to%20solve%20is%3F%20Particularly%20in%20the%20context%20that%20someone%20with%20the%20appropriate%20formal%20authority%20from%20the%20customer%20tenant%20could%20be%20configured%20within%20Azure%20to%20be%20able%20to%20approve%20this%20-%20or%20any%20other%20-%20application%20for%20all%20of%20their%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fgrant-admin-consent%3Fmsclkid%3D13e735a3cb8511ecbf169083a2b05d75%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGrant%20tenant-wide%20admin%20consent%20to%20an%20application%20-%20Azure%20AD%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3ELain%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3302024%22%20slang%3D%22en-US%22%3ERe%3A%20Grant%20user%20consent%20for%20the%20delegated%20Graph%20API%20permissions%20without%20the%20UI%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3302024%22%20slang%3D%22en-US%22%3EWhat%20you%20are%20showing%20on%20the%20first%20screenshot%20is%20only%20valid%20for%20your%20own%20tenant.%20Every%20%22customer%20facing%22%20application%20that%20needs%20any%20type%20of%20permissions%20(delegate%20OR%20application)%2C%20needs%20to%20request%20them%20via%20the%20UI-based%20consent%20flow.%20There%20are%20no%20exceptions.%3C%2FLINGO-BODY%3E
New Contributor

There are two types of the Graph API permissions we can grant for an AD application.

1. Application permissions

2. User Delegated permissions

 

For the application permissions:

AAD portal provides UI to Grand the Admin consent:

 

grant-tenant-wide-admin-consent.png

 

For the user delegated permissions:

For the delegated permissions to provide the consent, user need to login to the application requires the access and using the UI flow grant the permissions.

user_delegated.png

 

This is possible for the application which has the web UI, but for the backend without any UI this is not possible.

 

Questions:

1. Can we avoid the UI flow for granting the consent for the user delegated permissions?  

2. Is there a way we can grant consent for the user delegated permissions from the Azure AD portal like we do for the Admin consent?

3. If it is not supported from the AD portal, is there a Graph APIs to grant the permissions?

4. If it is supported by the Graph APIs links to the documentation/example will help.

 

2 Replies
What you are showing on the first screenshot is only valid for your own tenant. Every "customer facing" application that needs any type of permissions (delegate OR application), needs to request them via the UI-based consent flow. There are no exceptions.

@Pradeep_Patil 

 

Consent should never be fully-automatable in any case.

 

Compliance, as a key component of good governance, should be auditable and approvers should be accountable. Full automation of such a key concept would take us backwards 10+ years in the technology systems space, and from a commercial perspective, we'd be grilled by risk-aware business stakeholders, insurers, etc.

 

I'm wondering what the problem you're trying to solve is? Particularly in the context that someone with the appropriate formal authority from the customer tenant could be configured within Azure to be able to approve this - or any other - application for all of their users.

 

Grant tenant-wide admin consent to an application - Azure AD | Microsoft Docs

 

Cheers,

Lain