No, application permissions are advanced permissions. It is not like delegated permissions that can dynamically consent to certain permissions. You must use /.default
to consent to all application permissions.
https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?client_id={client_id}&scope=https://graph.microsoft.com/.default&redirect_uri={redirect_uri}&state=12345`.
see: official doc.
At this point, Azure AD requires a tenant administrator to sign in to complete the request. The administrator is asked to approve all the permissions that you have requested in the
scope
parameter. If you've used a static (/.default
) value, it will function like the v1.0 admin consent endpoint and request consent for all scopes found in the required permissions (both user and app). In order to request app permissions, you must use the/.default
value. If you don't want admins to see a given permission in the admin consent screen all the time when you use/.default
, the best practice is to not put the permission in the required permissions section. Instead you can use dynamic consent to add the permissions you want to be in the consent screen at run time, rather than using/.default
.
----------
If an answer is helpful, please "Accept answer" or "Up-Vote" which might help other community members reading this thread.