Azure AD prompt user/admin to re-consent after changing application permissions - azure-active-directory

I am building a SaaS app that will be authenticating users using Azure AD.
Let's say I am asking for just 1 delegated permission from user during consent prompt and user accepts it.
Later on my app evolves and need to get more delegated permissions. In that case how do I re-prompt the user with the consent page? I would like do this only once when the permissions are changing.
Do I need to track in my app what permissions each user has consented to and then determine to add the prompt=admin_consent query parameter while redirecting to the auth page?

The prompt=admin_consent is used when an administrator needs to provide consent for their organization. If you just require the users’s consent, you use prompt=consent.
Another way is that you can redirect to the login page to add the prompt parameter to re-consent when the app get the exception because the lack of permission to call the new API.
You could also consider use the V2.0 endpoint which support the incremental and dynamic consent.
Here is the document about Azure AD V2.0 endpoint for your reference.

Related

Microsoft Graph API provide user consent without UI flow

I have a Azure Active Directory application and I have provided some of the user delegated permissions for accessing Graph APIs. For example 'user.read' and 'user.read.all' etc.
To provide User Consent for the Graph APIs which have Delegated permission. I need to login using my credentials to the test application (I developed) and then there will be a Popup displayed on the Web UI with title "Permissions requested" to grand the consent. I need to select Accept button to grand the consent.
My questions:
Is there a way we can preauthorize the user consent without following Web UI flow?
Just like the admin consent in Active Directory, is there a way to grant user consent?
Yes, it is possible through MS Graph API.
When you grant user consent, an OAuth2PermissionGrant object is created.
Admin consent also creates one but in that one the principal is set to be "all users".
You can also create these programmatically.
You can see the docs for the API endpoint here.
It is created under the service principal of your app and you specify consentType as "Principal" and principalId as the user's objectId.
I think you may try to hit this url and signed in with the admin account, then you may consent on behalf of your organization. This url is used to get auth code for using auth code flow(generate access token)
https://login.microsoftonline.com/hanxia.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=your_azure_ad_app_clientid
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost:8080%2F
&response_mode=query
&scope=user.read
&state=12345

Azure OAuth2 flow when approval is requested

Our app implements Azure OAuth2 (v2) user-consent flow and uses Graph API scopes that do not require admin consent oauth2 user. Recently we've noticed that some users of our app run into this Auth screen: "The app requires admin's approval".
Is that because the tenant Org disabled user-consent for apps?
Where does it leave us with the user-consent based OAuth2 flow? Is it still possible to get a user access token after an admin's approval or the only way is to use the OAuth2 daemon flow oauth2 daemon? In a callback after such a dialog how can we know that the admin approval has been given?
One related question. In cases where user-consent is not disabled but it's an admin user that authorizes there is an option 'Consent on behalf of your Organization". How can we know in the callback from this dialog that the admin checked that box? And does it mean we need to use the OAuth2 daemon flow then too?
Thank you
It was our lack of understanding. After more testing we realized that we used prompt=consent and that is why the consent window always showed. Thank you.
Is that because the tenant Org disabled user-consent for apps?
Yes, this settings is under Enterprise applications->User settings.
Is it still possible to get a user access token after an admin's
approval
Yes, you can still get a user access token after an admin's approval.
In a callback after such a dialog how can we know that the admin
approval has been given?
Once your admin reviews the request you will be notified via email.
In cases where user-consent is not disabled but it's an admin user
that authorizes there is an option 'Consent on behalf of your
Organization". How can we know in the callback from this dialog that
the admin checked that box?
Once the admin checked the box, the users under that tenant will not see the consent dialog. Also, you can check the status of the application in Azure portal->App registrations->your app->API permissions.
There are two possible reasons users consent or adminconsent
For user consent two possible cases
1)In a tenant where user consent is disabled, for example, users can't consent to any permission. Azure AD-- > Enterprise apps ---> User settings ---> Users can consent to apps.
2) User assignment :Azure AD--- > Enterprise apps-- > (select app) --> Properties --> User assignment required
For Admin Consent two possible cases
1) App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
2) Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Solution :
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.

Adding new static scopes to existing Azure AD app registration

My AD tenant has user consent disabled, i.e., all permissions added to AD app registration need an admin consent.
For an application using static permissions/scopes (v1.0 OAuth/OpenId endpoint), is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Microsoft docs say: "The app needs to know all of the resources it would ever access ahead of time. It was difficult to create apps that could access an arbitrary number of resources." Does it mean that for my scenario, all users need to wait for admin consent before they can access the app?
I receive the below error when a user tries logging in to the app using the Open ID Connect flow. For reference, my login URL is similar to https://login.microsoftonline.com/{tenant}/oauth2/authorize?response_type=id_token&client_id=b8ad6a99-cd23-40a6-a1b4-1184af990aa2&redirect_uri=https%3A%2F%2Flocalhost%2F&state=13ccfb84-cfd1-4cb0-bfe3-bb2c227e19f7&client-request-id=4d76947a-0000-48af-aeff-7bc2d5e40000&x-client-SKU=Js&x-client-Ver=1.0.17&nonce=ef1caa16-d3fe-4523-a9c9-000000000000
is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Yes, you can.
When the admin consent the API permission of an AD App(App registration), the permissions essentially will be given to the service principal(Enterprise application) in your AAD tenant. Actually if you use the AD App in your tenant, the permissions are essentially from the service principal.
You could refer to the screenshot below, there are four permissions, the two permission has been granted.
Navigate to the Overview, click the option Manage application in local directory.
Then in the Permissions, you will find the two permissions which have been consent.
When you add the new scopes, the app will keep working, but it will only be able to access the old scopes until the admin consents to the new scopes.
Thanks!
Alex Simons

Azure AD V1 endpoint registered native app: Graph API consent given but user can't get through

When registering a native application on the Azure AD 1.0 endpoint, and assigning Graph API permissions, it seems like consented permissions are 'cached' somewhere and can't be managed properly.
Example scenario:
Application registered and permission scopes (incl. ones requiring admin consent) assigned.
Administrator consents to the permission scopes
Simple user can use the app with consented permissions.
Permission scopes change (adding a new one for example)
Same admin doesn't get the consent form anymore
Simple user is stuck with "consent required, have an admin account?"
Another global admin must use the app for the first time to trigger the consent page.
Note that #7 doesn't always work; even if the other admin provides consent, simple users can't get through sometimes.
This is a multi-tenant application, yet when start using it in another tenant, I can not see its consented permissions in the AAD portal under enterprise applications.
Shouldn't permissions that have been consented to be listed in other tenants so that the admin can at least see what has been consented to?
Also, when I register an app on the V1.0 endpoint in my own tenant, I have an option to 'grant permissions' centrally, from the Azure AD portal for my tenant.
This option isn't available if I'm looking at an application that was registered in another tenant.
Am I overlooking something? Any help much appreciated.
When you change permissions, it does not automatically re-consent (for user or admin). You can find a detailed overview of this at Understanding user and admin consent.
You'll first need kick off the Admin Consent workflow. For a multi-tenant app this is done by adding prompt=admin_consent to your OAUTH URL and having an Admin authenticate.
Once that is done you can also force existing users to re-consent as well by adding prompt=consent to your Auth URL.

Azure AD admin consent required when it shouldn't

I have 2 tenants:
One for my organization, where I manage users (A)
One that I manage the applications and permissions (B)
My webapp is on tenant A and I configured authentication on the portal using Azure AD on tenant B.
On tenant B I registered the application with only one permission which does not require admin consent: Windows Azure Active Directory > Sign in and read user profile.
When the user logs in he gets the following error:
AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I believe that this error should not be raised, since the only permission required by the application doesn't required admin.
EDIT
This is the URL that I am redirected to when I try to access the application when I'm not logged in
https://login.microsoftonline.com/d6ac45af-3289-4f79-a826-27824e1c467d/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Ftechnipfmc-tools-app-test.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=d340f0ed-5eb3-43e8-9a50-c449649f3ee1&scope=openid+profile+email&response_mode=form_post&nonce=1895ec0ffef64447bbb712bdae61c7fb_20170521070654&state=redir%3D%252F
EDIT 2
I found out a solution here:
As an administrator, you can also consent to an application's delegated permissions on behalf of all the users in your tenant. This will prevent the consent dialog from appearing for every user in the tenant. You can do this from the Azure portal from your application page. From the Settings blade for your application, click Required Permissions and click on the Grant Permissions button.
I don't know why had to do that since I'm only using permissions that don't require admin consent.
There are several potential problems with your setup:
Your authorization request is set to a specific tenant, the one with tenantId d6ac45af-3289-4f79-a826-27824e1c467d. Only users from that tenant will be able to log in. If this tenantId corresponds to the one for your organization, where you manage users (A), then disregard this point. Otherwise you should either replace this with the tenantId of that tenant or with common which will allow users from any tenant to sign in.
Your application is not multi-tenant. For testing purposes, I replaced the tenantId with common and wasn't able to use this with my test tenant due to the following error: AADSTS70001: Application with identifier 'd340f0ed-5eb3-43e8-9a50-c449649f3ee1' was not found in the directory <MY_TEST_TENANT>. This indicates that the application isn't configured as a multi-tenant application. This is something you must explicitly turn on.
Your organization's tenant (A) might have disabled the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be set up in the tenant. To test to see if this is the case, address points #1 (use /common/) and #2 above and try with any other tenant. If you are able to consent with that other tenant but not your organization's tenant, then you'll know that admin consent is required for your organization.
You should check out the How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern article as it explains all of the points above in more detail.
I think that error appears when you are passing "&prompt=admin_consent" in the Login URL.
Even though you are not requesting Admin permissions, if you pass that query string, it will try to show you a consent dialogue so that you can consent on behalf of the whole tenant, which is an operation that only an admin can do.

Resources