How to view/revoke consent for an app that no longer appears in myAppsPortal

Copper Contributor

As a tenant admin, I created an app in the "App registrations" section.

 

Then as an different unprivileged user, I consented and signed in to the app.

 

As the unprivileged user I view the permissions I've consented to and revoke them by going to 

https://myapplications.microsoft.com/

 

As the admin user, I can see which permissions the user has consented in Enterprise Apps > myApp > permissions

 

Then as the admin user, I removed the unprivileged user from the "Users and groups" section of the enterprise app.

 

As expected, the app is no longer visible for the unprivileged user when visiting the My apps portal. However, as the admin user, I can see the user's consent in the "permissions" section.

 

As the unprivileged user, how can I manage/view the apps for which I've consented if they don't appear in the My apps portal?

5 Replies
There is no way for an end-user to manage applications he doesn't have access so.
The admin needs to delete the app/permissions

@Thijs Lecomte The user still has access to the application because the "User assignment required?" property is still set to "No".

 

The app no longer appears in the Apps portal but I can confirm that I am still able to retrieve tokens using the appropriate Oauth2 endpoints as described here https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

 

I have also tested out the case that you brought up, where the user has granted consent, and then an admin un-assigns the user and sets "User assignment required" to "yes". The user can no longer access the application but the consent still exists in the "Permissions" tab, with no way for the user to revoke it.

In both cases, it doesn't seem like there is any way for the user to revoke consent for the application or to even know what permissions the application has (because they probably forgot what permissions they consented to in the first place).

 

Perhaps this is an edge case but unless I'm missing something this still seems like a privacy/security.issue.

It's true there is no real way for a user to check applications
The admin has to check these permissions for a user

I agree with you that a user should be able to check what permissions an application has
Agree: there's an issue here. I had given consent as non-privileged user to an application, it appeared under my https://myapplications.microsoft.com. I've revoked permissions, and deleted it in there. So far so good.
The still as non-privileged user, I gave consent to the application again - but it does not show up in myapplications.microsoft.com any more. I can see the applications in Azure portal linked to my non-privileged user, but I cannot change consent or remove the applications there.

After giving the permissions the second time, i.e. after deleting them in myapplications.microsoft.com, they should show up here again!
Anything new here? The same situation occurred win my organisation. Will it be solved by MS?