question

BenHatton-8426 avatar image
0 Votes"
BenHatton-8426 asked BenHatton-8426 edited

AzureAD Custom Consent Policy (Permission Grant Policy / Authorization Policy) broken?

Does anyone here have a working custom consent policy applied to default user role? Is it broke?

I tested this about 6 months ago and it was working perfectly and showed that users could be given the ability to self consent to a specific set of delegated permissions, including 'admin' permissions like Files.ReadWrite. Now, when making a custom policy with an includes permissiongrantconditionset, users are blocked from self-consenting to any permissions whether in the policy or not, whether they are marked as admin or not (e.g. for sample below, user cannot consent to User.Read or openid). See below for sample code (I have redacted so hopefully I didn't break it in the process). APAC Azure support is useless and I can't get this escalated past level 1.

<powershell>

 $spGraph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
 New-AzureADServicePrincipal -AppId '{xxx}'  # might get an error here if already in the tenant
 $spApp = Get-AzureADServicePrincipal -Filter "AppId eq '{xxx}'"
    
 New-AzureADMSPermissionGrantPolicy -Description 'All whitelisted applications approved for delegated consent by end users' -DisplayName 'Default User Consent Whitelist' -id 'whitelist-default'
 Set-AzureADMSAuthorizationPolicy -Id 'authorizationPolicy' -PermissionGrantPolicyIdsAssignedToDefaultUserRole @('managePermissionGrantsForSelf.whitelist-default')
    
 $resource = $spGraph
 $permissions = $resource.Oauth2Permissions
 $perms = @()
 $perms += ($permissions |Where-Object {$_.Value -eq 'Files.ReadWrite'}).Id
 $perms += ($permissions |Where-Object {$_.Value -eq 'User.Read'}).Id
 $perms += ($permissions |Where-Object {$_.Value -eq 'openid'}).Id
    
 $apps = @()
 $apps += $spApp.AppId
    
 New-AzureADMSPermissionGrantConditionSet -PolicyId 'whitelist-default' -ConditionSetType 'includes' -PermissionType 'delegated' -ClientApplicationIds $apps -ResourceApplication $resource.AppID -Permissions $perms

</powershell>

Testing the effect by using a URL like this: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize?client_id={xxx}&response_type=code&scope=https%3A%2F%2Fgraph.microsoft.com%2FUser.Read



azure-active-directoryazure-ad-app-consent
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers