May 04 2020
- last edited on
Jul 24 2020
As a tenant admin, I created an app in the "App registrations" section.
Then as an different unprivileged user, I consented and signed in to the app.
As the unprivileged user I view the permissions I've consented to and revoke them by going to
As the admin user, I can see which permissions the user has consented in Enterprise Apps > myApp > permissions
Then as the admin user, I removed the unprivileged user from the "Users and groups" section of the enterprise app.
As expected, the app is no longer visible for the unprivileged user when visiting the My apps portal. However, as the admin user, I can see the user's consent in the "permissions" section.
As the unprivileged user, how can I manage/view the apps for which I've consented if they don't appear in the My apps portal?
May 04 2020 11:37 PM
May 05 2020 11:27 AM
@Thijs Lecomte The user still has access to the application because the "User assignment required?" property is still set to "No".
The app no longer appears in the Apps portal but I can confirm that I am still able to retrieve tokens using the appropriate Oauth2 endpoints as described here https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
I have also tested out the case that you brought up, where the user has granted consent, and then an admin un-assigns the user and sets "User assignment required" to "yes". The user can no longer access the application but the consent still exists in the "Permissions" tab, with no way for the user to revoke it.
In both cases, it doesn't seem like there is any way for the user to revoke consent for the application or to even know what permissions the application has (because they probably forgot what permissions they consented to in the first place).
Perhaps this is an edge case but unless I'm missing something this still seems like a privacy/security.issue.
May 06 2020 05:42 AM