Feb 03 2022 09:12 PM - edited Feb 03 2022 09:34 PM
Why does Azure AD not prompt the application owner's consent when one of it's exposed role is assigned to a client application (API permissions)?
Inside an organization, there could be many application teams sharing the same tenant. Each application team may register on Azure AD as services and expose their permissions as roles. When a client app is setup and the role assignments are made to the client app, I see generally admin consent is prompted (if configured). However, why does Azure not request the service provider app's owner to accept if the role assignment is valid?
I do understand this could be a headache in a dynamic environment. But in large organizations, the Admin team may not be fully aware and may consent to the role assignment always.
Feb 03 2022 11:31 PM
Feb 04 2022 01:31 AM
@VasilMichev I agree this may not be possible in a multi-tenant setup. But my scenario is specific to a single tenant. Inspecting the incoming request's token is a very late as the app already managed to get the assignments done on its own without the knowledge of the app owner.
Wondering if it would be a good to have feature though.