question

SteveLewis-8910 avatar image
1 Vote"
SteveLewis-8910 asked KadenKelsey-1880 answered

How to handle changing permissions on an App Registration in Azure Active Directory

I have a question about changing the permissions of an existing multi-tenant App Registration in Azure Active directory. We have the App Registration defined in a tenant that we control. Customers use the OAuth authorization code grant flow to authenticate and grant access for the application. After they do so, a Service Principal is created in their tenant.

We want to change the defined permissions on our App Registration (removing a permission). When we make that change on the App Registration object, the Azure Portal UI displays this message: You are editing permission(s) to your application, users will have to consent even if they’ve already done so previously.

However, when the customer repeats the authorization flow again, they are not presented with any opportunity to grant the redefined permissions and the Service Principal is not updated with the new permission set. Tokens that have already been issued to the customer's Service Principal are still valid and can continue to be used to request new tokens.

My question has two parts:
How can the customer grant access for the new, modified permissions and have those permissions reflected on the existing Service Principal? We know that if the Service Principal is deleted from the customer's tenant then the authorization process will recreate it with the new permission set. But we want to avoid forcing the customer to delete the SP.

Next, after the permissions have been modified on the App Registration, are there any conditions in which existing tokens already issued to customers will no longer be valid? Will it continue to be possible for those customers to renew/refresh their tokens, even without updating the permissions on their Service Principal?

Thanks


azure-ad-app-registrationazure-ad-app-developmentazure-ad-app-management
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

0 Votes 0 ·

No, he doesn't mention PTA even once. This is about App Registrations in Azure AD. I would like to know too.

0 Votes 0 ·
MoamenHany avatar image
1 Vote"
MoamenHany Suspended answered LarsHolmJensen-3557 commented

This might help
https://o365blog.com/post/pta-deepdive/

Please do not forget to "Accept the answer" and Upvote on the post that helps you, this can be beneficial to other community members.
http://www.moamenhany.com

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, he doesn't mention PTA even once. This is about App Registrations in Azure AD.

0 Votes 0 ·
KadenKelsey-1880 avatar image
0 Votes"
KadenKelsey-1880 answered

Great question. Which there was an answer

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.