Scoped application permissions at adminconsent endpoint

Question

We can customize which application level permissions via the azure portal and also via the "scope" param on the adminconsent endpoint for users permissions, e.g.

https://login.microsoftonline.com/<tenant_id>/v2.0/adminconsent?
client_id=<application/client_id>&redirect_uri=https://<redirect_url>&scope=https://graph.microsoft.com/Calendars.ReadWrite

Is there a way to custom/scope the "application" level permissions? Possibly a param I can pass to the adminconsent endpoint?

From my testing I was only able to customize the permissions to present via the adminconssent endpoint for "delegated" permissions.

For instance, I would like the application to be able to access the User Directory, Calendar, and Team resources if the admin desire, and add all three resources (Directory.Read.All, Calendars.Readwrite, TeamsApp.ReadWrite.All) as application level permissions for the app in the azure portal. However, I would like to only present individual scope to ask and grant permissions as needed, and I thought I could redirect the admins to the adminconsent with the scope param as needed for each resources they wish to enable:

https://login.microsoftonline.com/<tenant_id>/v2.0/adminconsent?
client_id=<application/client_id>&redirect_uri=https://<redirect_url>&scope=https://graph.microsoft.com/Directory.Read.All

https://login.microsoftonline.com/<tenant_id>/v2.0/adminconsent?
client_id=<application/client_id>&redirect_uri=https://<redirect_url>&scope=https://graph.microsoft.com/Calendars.ReadWrite

https://login.microsoftonline.com/<tenant_id>/v2.0/adminconsent?
client_id=<application/client_id>&redirect_uri=https://<redirect_url>&scope=https://graph.microsoft.com/TeamsApp.ReadWrite.All

Which do present only the scoped resources at the endpoint for the admin to accept. However, when they do, the above endpoints with the scope param only grant "delegated" level permissions and not "application" level permissions.

I can alternatively split up the application into three different set of permissions for each specific resource type, but we would much prefer, if we can, to keep the configuration to only one application and request the application level permissions for the resources as needed.

Thanks for any help or clarification,

• Vinny

Answer 1

No, application permissions are advanced permissions. It is not like delegated permissions that can dynamically consent to certain permissions. You must use /.default to consent to all application permissions.

   https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?client_id={client_id}&scope=https://graph.microsoft.com/.default&redirect_uri={redirect_uri}&state=12345`.  

see: official doc.

At this point, Azure AD requires a tenant administrator to sign in to complete the request. The administrator is asked to approve all the permissions that you have requested in the scope parameter. If you've used a static (/.default) value, it will function like the v1.0 admin consent endpoint and request consent for all scopes found in the required permissions (both user and app). In order to request app permissions, you must use the /.default value. If you don't want admins to see a given permission in the admin consent screen all the time when you use /.default, the best practice is to not put the permission in the required permissions section. Instead you can use dynamic consent to add the permissions you want to be in the consent screen at run time, rather than using /.default.

----------

If an answer is helpful, please "Accept answer" or "Up-Vote" which might help other community members reading this thread.