How to view/revoke consent for an app that no longer appears in myAppsPortal

%3CLINGO-SUB%20id%3D%22lingo-sub-1359268%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20view%2Frevoke%20consent%20for%20an%20app%20that%20no%20longer%20appears%20in%20myAppsPortal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359268%22%20slang%3D%22en-US%22%3EThere%20is%20no%20way%20for%20an%20end-user%20to%20manage%20applications%20he%20doesn't%20have%20access%20so.%3CBR%20%2F%3EThe%20admin%20needs%20to%20delete%20the%20app%2Fpermissions%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361117%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20view%2Frevoke%20consent%20for%20an%20app%20that%20no%20longer%20appears%20in%20myAppsPortal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361117%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3BThe%20user%20still%20has%20access%20to%20the%20application%20because%20the%20%22User%20assignment%20required%3F%22%20property%20is%20still%20set%20to%20%22No%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20app%20no%20longer%20appears%20in%20the%20Apps%20portal%20but%20I%20can%20confirm%20that%20I%20am%20still%20able%20to%20retrieve%20tokens%20using%20the%20appropriate%20Oauth2%20endpoints%20as%20described%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-oauth2-auth-code-flow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-oauth2-auth-code-flow%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20also%20tested%20out%20the%20case%20that%20you%20brought%20up%2C%20where%20the%20user%20has%20granted%20consent%2C%20and%20then%20an%20admin%20un-assigns%20the%20user%20and%20sets%20%22User%20assignment%20required%22%20to%20%22yes%22.%20The%20user%20can%20no%20longer%20access%20the%20application%20but%20the%20consent%20still%20exists%20in%20the%20%22Permissions%22%20tab%2C%20with%20no%20way%20for%20the%20user%20to%20revoke%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20both%20cases%2C%20it%20doesn't%20seem%20like%20there%20is%20any%20way%20for%20the%20user%20to%20revoke%20consent%20for%20the%20application%20or%20to%20even%20know%20what%20permissions%20the%20application%20has%20(because%20they%20probably%20forgot%20what%20permissions%20they%20consented%20to%20in%20the%20first%20place).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20this%20is%20an%20edge%20case%20but%20unless%20I'm%20missing%20something%26nbsp%3Bthis%20still%20seems%20like%20a%20privacy%2Fsecurity.issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363379%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20view%2Frevoke%20consent%20for%20an%20app%20that%20no%20longer%20appears%20in%20myAppsPortal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363379%22%20slang%3D%22en-US%22%3EIt's%20true%20there%20is%20no%20real%20way%20for%20a%20user%20to%20check%20applications%3CBR%20%2F%3EThe%20admin%20has%20to%20check%20these%20permissions%20for%20a%20user%3CBR%20%2F%3E%3CBR%20%2F%3EI%20agree%20with%20you%20that%20a%20user%20should%20be%20able%20to%20check%20what%20permissions%20an%20application%20has%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358873%22%20slang%3D%22en-US%22%3EHow%20to%20view%2Frevoke%20consent%20for%20an%20app%20that%20no%20longer%20appears%20in%20myAppsPortal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358873%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20a%20tenant%20admin%2C%20I%20created%20an%20app%20in%20the%20%22App%20registrations%22%20section.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20as%20an%20different%20unprivileged%20user%2C%20I%20consented%20and%20signed%20in%20to%20the%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20the%20unprivileged%20user%20I%20view%20the%20permissions%20I've%20consented%20to%20and%20revoke%20them%20by%20going%20to%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmyapplications.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyapplications.microsoft.com%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20the%20admin%20user%2C%20I%20can%20see%20which%20permissions%20the%20user%20has%20consented%20in%20%3CEM%3EEnterprise%20Apps%20%26gt%3B%20myApp%20%26gt%3B%20permissions%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20as%20the%20admin%20user%2C%20I%20removed%20the%20unprivileged%20user%20from%20the%20%22Users%20and%20groups%22%20section%20of%20the%20enterprise%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20expected%2C%20the%20app%20is%20no%20longer%20visible%20for%20the%20unprivileged%20user%20when%20visiting%20the%20My%20apps%20portal.%20However%2C%20as%20the%20admin%20user%2C%20I%20can%20see%20the%20user's%20consent%20in%20the%20%22%3CEM%3Epermissions%3C%2FEM%3E%22%20section.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20the%20unprivileged%20user%2C%20how%20can%20I%20manage%2Fview%20the%20apps%20for%20which%20I've%20consented%20if%20they%20don't%20appear%20in%20the%20My%20apps%20portal%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1358873%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

As a tenant admin, I created an app in the "App registrations" section.

 

Then as an different unprivileged user, I consented and signed in to the app.

 

As the unprivileged user I view the permissions I've consented to and revoke them by going to 

https://myapplications.microsoft.com/

 

As the admin user, I can see which permissions the user has consented in Enterprise Apps > myApp > permissions

 

Then as the admin user, I removed the unprivileged user from the "Users and groups" section of the enterprise app.

 

As expected, the app is no longer visible for the unprivileged user when visiting the My apps portal. However, as the admin user, I can see the user's consent in the "permissions" section.

 

As the unprivileged user, how can I manage/view the apps for which I've consented if they don't appear in the My apps portal?

3 Replies
There is no way for an end-user to manage applications he doesn't have access so.
The admin needs to delete the app/permissions

@Thijs Lecomte The user still has access to the application because the "User assignment required?" property is still set to "No".

 

The app no longer appears in the Apps portal but I can confirm that I am still able to retrieve tokens using the appropriate Oauth2 endpoints as described here https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

 

I have also tested out the case that you brought up, where the user has granted consent, and then an admin un-assigns the user and sets "User assignment required" to "yes". The user can no longer access the application but the consent still exists in the "Permissions" tab, with no way for the user to revoke it.

In both cases, it doesn't seem like there is any way for the user to revoke consent for the application or to even know what permissions the application has (because they probably forgot what permissions they consented to in the first place).

 

Perhaps this is an edge case but unless I'm missing something this still seems like a privacy/security.issue.

It's true there is no real way for a user to check applications
The admin has to check these permissions for a user

I agree with you that a user should be able to check what permissions an application has