question

ox1ygen avatar image
0 Votes"
ox1ygen asked DorairajRavikumar-8394 answered

Is there any valid way to revoke admin consent / remove service principal for a Multi tenant app in a client tenant

Hello,

It is a SAAS story.

First, I would like to collect some information in client tenants. One way to perform this task is to create a multi tenant application and work with client tenants with it. So, I have a multi tenant application in my tenant (an Application object and a Service Principal object). Then I have asked for an admin consent for each client tenant. Currently, I have a Service Principal object with all the required permissions consented in client tenants. I can successfully obtain any information I need in these tenants.

Later, I want my application to stop working for some of these tenants. I would like to break "the connection" with my application in a one-sided way. Are there any options available? Or is there any other, a much more proper approach to do all of that?


Thanks in advance!

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
2 Votes"
michev answered

Consent is granted/revoked by the tenant "consuming" the application, you as the owner of the app don't have a say in it. If you want to block your app for specific tenants, do it in code. For example, you can examine the access token and get the tenant information from there, then disable any processing for "blocked" tenants.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars-msft avatar image
0 Votes"
sikumars-msft answered ox1ygen commented

Hello @ox1ygen,

Thanks for reaching out and apologize for delayed response.

I would like to share this thread where similar question was asked and answered already.

Hope this helps.

Regards,
Siva

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @sikumars-msft,

Thanks for the answer!

Unfortunately, the thread you have mentioned does not answer my question. I understand how a multitenant application is connected to other tenants via its global application ID.
The only thing I don't get is "If there is a mechanism to give consent, why there is no proper mechanism to take it back?" I do believe it's pretty natural to have something like that.

Could you please tell me If Azure AD provides something like that to control your consent to other tenants?

0 Votes 0 ·
DorairajRavikumar-8394 avatar image
0 Votes"
DorairajRavikumar-8394 answered

Hello @ox1ygen ,

We have a similar scenario for our app, did you find a way to remove/revoke the child tenant?

thanks
Ravi

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.