Consent flow for application permissions

Esha Omprakash Bharadwaj · ‎Jul 25 2018

I have a AAD secured api and I need to grant a client application access to this api (without any user context). I have added a approle with "allowedMemberTypes": ["Application" ] to the manifest of my api. The client has requested permission to my api but from what I am reading online only a tenant admin can grant this permission(being owner on the api is not sufficient).

What is the recommended way of implementing active directory authentication in such a scenario without needing tenant admin intervention? The api simply needs to grant access to a set of client service principals (no user context involved).

Rishabh Srivastava · ‎Jul 26 2018

Hello Esha,

Consent works on the basis of api, that an application is accessing.

If your api is accessing the basic information of any entity like user then the user context will work.

If your api is accessing a protected resource that needs global admin consent the application will not be able to access with the consent of the global admin for the directory.

Now in these cases we end up a situation wherein a global admin has to consent the application for the entire directory using "prompt=admin_consent" parameter.

check the below mentioned article

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tena...

This will be one-time consent approval that will be done by GA.

Regards,

Rishabh

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Consent flow for application permissions