[English] Tips to Manage Azure AD User's Consent to Applications Using Azure AD Graph API

  • Article

Imagine a scenario where you've disabled the user's permissions to consent access to applications:
a) The option "Users can consent to apps accessing company data on their behalf" was set to "No" using the Azure AD Portal
OR
b) The option "UsersPermissionToUserConsentToAppEnabled" was set to "False" using PowerShell Module for Azure AD

 

Under one of the above conditions, if a particular user wants to give consent to a set of permissions, for a specific Application, he needs to request to the Azure AD Administrator to provide the consent on his behalf. However, to achieve that, the Administrator can only provide what is called "admin consent", in other words, consent to all users of the Azure AD. Of course, this can create a problem if the Administrator just wants to give consent for a specific set of users, and not all.

 

To overcome this limitation, one of the possible solutions could be by giving the "admin consent" (consent to all users of the Azure AD), but then set to "Yes" the "User assignment required" under Enterprise Application Properties, and finally assign/add only the wanted users to the Application. With this method, the Administrator is still providing "admin consent" to the App, however, it's possible to control what are the users that can access it.

 

A second solution, is by using Azure AD Graph API to provide consent to each specific user. The Azure AD Administrator needs to:
1. Access the App, but instead of providing/requesting "admin consent", he only needs to provide "user consent" for his own user. Unlike a non-admin user, where this functionality is blocked as explained above, this consent will be allowed and it will create the Service Principal/Enterprise Application for the App, with the "user" consent for the Administrator account.

2. Access to the Azure AD Graph API, if you do not have your own tool, you can use:
https://graphexplorer.azurewebsites.net/

3. List existent consents:
GET https://graph.windows.net/myorganization/oauth2PermissionGrants/

4. Search under "clientId" to identify the objectID of Service Principal created in 1)

5. Copy the details of the identified consent above, and change it according to the needs. E.g.:
{
"clientId": "6518c856-4cb3-4c22-bb5c-935739ed5477",
"consentType": "Principal",
"expiryTime": "2018-04-12T21:51:49.5446711",
"principalId": "e83078bf-ab20-4ca3-bf78-ec0662b0856f",
"resourceId": "e4b81415-37ca-4acb-a178-0b33dc42ffdc",
"scope": " User.Read openid",
"startTime": "0001-01-01T00:00:00"
}
Notes:
"clientId": ObjectID of the Service Principal
"consentType": Principal means "user consent"
"principalId": The objectID of the user the consent applies to
"scope": Permissions given on the consent on behalf of the user

6. Create consent for the user:
POST https://graph.windows.net/myorganization/oauth2PermissionGrants/
Data for POST:
{
"clientId": "6518c856-4cb3-4c22-bb5c-935739ed5477",
"consentType": "Principal",
"expiryTime": "2018-04-12T21:51:49.5446711",
"principalId": "e83078bf-ab20-4ca3-bf78-ec0662b0856f",
"resourceId": "e4b81415-37ca-4acb-a178-0b33dc42ffdc",
"scope": " User.Read openid",
"startTime": "0001-01-01T00:00:00"
}

7. After the above, the consent is given for the user/principal, and if you list again the existent consents, you'll identify a new one:
{
"clientId": "6518c856-4cb3-4c22-bb5c-935739ed5477",
"consentType": "Principal",
"expiryTime": "2018-04-12T21:51:49.5446711",
"objectId": "LLc7jy3wpEacSf2S_weYbR",
"principalId": "e83078bf-ab20-4ca3-bf78-ec0662b0856f",
"resourceId": "e4b81415-37ca-4acb-a178-0b33dc42ffdc",
"scope": " User.Read openid",
"startTime": "0001-01-01T00:00:00"
}

8. If you need to remove/revoke consent, use the "objectId" (auto-generated during creation), and execute the following:
DELETE https://graph.windows.net/myorganization/oauth2PermissionGrants/LLc7jy3wpEacSf2S_weYbR

 

More Details:
Understanding user and admin consent - /en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent

oAuth2PermissionGrant resource type - https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/oauth2permissiongrant