question

VinnyLy-6399 avatar image
1 Vote"
VinnyLy-6399 asked saldana-msft edited

Scoped application permissions at adminconsent endpoint

We can customize which application level permissions via the azure portal and also via the "scope" param on the adminconsent endpoint for users permissions, e.g.

https://login.microsoftonline.com/<tenant_id>/v2.0/adminconsent?
client_id=<application/client_id>&redirect_uri=https://<redirect_url>&scope=https://graph.microsoft.com/Calendars.ReadWrite

Is there a way to custom/scope the "application" level permissions? Possibly a param I can pass to the adminconsent endpoint?

From my testing I was only able to customize the permissions to present via the adminconssent endpoint for "delegated" permissions.

For instance, I would like the application to be able to access the User Directory, Calendar, and Team resources if the admin desire, and add all three resources (Directory.Read.All, Calendars.Readwrite, TeamsApp.ReadWrite.All) as application level permissions for the app in the azure portal. However, I would like to only present individual scope to ask and grant permissions as needed, and I thought I could redirect the admins to the adminconsent with the scope param as needed for each resources they wish to enable:

https://login.microsoftonline.com/<tenant_id>/v2.0/adminconsent?
client_id=<application/client_id>&redirect_uri=https://<redirect_url>&scope=https://graph.microsoft.com/Directory.Read.All

https://login.microsoftonline.com/<tenant_id>/v2.0/adminconsent?
client_id=<application/client_id>&redirect_uri=https://<redirect_url>&scope=https://graph.microsoft.com/Calendars.ReadWrite

https://login.microsoftonline.com/<tenant_id>/v2.0/adminconsent?
client_id=<application/client_id>&redirect_uri=https://<redirect_url>&scope=https://graph.microsoft.com/TeamsApp.ReadWrite.All

Which do present only the scoped resources at the endpoint for the admin to accept. However, when they do, the above endpoints with the scope param only grant "delegated" level permissions and not "application" level permissions.

I can alternatively split up the application into three different set of permissions for each specific resource type, but we would much prefer, if we can, to keep the configuration to only one application and request the application level permissions for the resources as needed.

Thanks for any help or clarification,

  • Vinny

azure-active-directorymicrosoft-graph-identitymicrosoft-graph-applications
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Adding right tags/teams to assist

1 Vote 1 ·

1 Answer

CarlZhao-MSFT avatar image
3 Votes"
CarlZhao-MSFT answered VinnyLy-6399 commented

No, application permissions are advanced permissions. It is not like delegated permissions that can dynamically consent to certain permissions. You must use /.default to consent to all application permissions.


https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?client_id={client_id}&scope=https://graph.microsoft.com/.default&redirect_uri={redirect_uri}&state=12345`.


see: official doc.

At this point, Azure AD requires a tenant administrator to sign in to complete the request. The administrator is asked to approve all the permissions that you have requested in the scope parameter. If you've used a static (`/.default`) value, it will function like the v1.0 admin consent endpoint and request consent for all scopes found in the required permissions (both user and app). In order to request app permissions, you must use the /.default value. If you don't want admins to see a given permission in the admin consent screen all the time when you use /.default, the best practice is to not put the permission in the required permissions section. Instead you can use dynamic consent to add the permissions you want to be in the consent screen at run time, rather than using /.default.


If an answer is helpful, please "Accept answer" or "Up-Vote" which might help other community members reading this thread.









· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the confirm that it can't be done. I am going to go for my alternative solution of splitting up the application.

For others who similarly need this solution, consider splitting out your scoped application permissions and program your service/application to allow for different client/application id and credentials. I have refactored our code to do so and it's working well.

0 Votes 0 ·