I have a question about changing the permissions of an existing multi-tenant App Registration in Azure Active directory. We have the App Registration defined in a tenant that we control. Customers use the OAuth authorization code grant flow to authenticate and grant access for the application. After they do so, a Service Principal is created in their tenant.
We want to change the defined permissions on our App Registration (removing a permission). When we make that change on the App Registration object, the Azure Portal UI displays this message: You are editing permission(s) to your application, users will have to consent even if they’ve already done so previously.
However, when the customer repeats the authorization flow again, they are not presented with any opportunity to grant the redefined permissions and the Service Principal is not updated with the new permission set. Tokens that have already been issued to the customer's Service Principal are still valid and can continue to be used to request new tokens.
My question has two parts:
How can the customer grant access for the new, modified permissions and have those permissions reflected on the existing Service Principal? We know that if the Service Principal is deleted from the customer's tenant then the authorization process will recreate it with the new permission set. But we want to avoid forcing the customer to delete the SP.
Next, after the permissions have been modified on the App Registration, are there any conditions in which existing tokens already issued to customers will no longer be valid? Will it continue to be possible for those customers to renew/refresh their tokens, even without updating the permissions on their Service Principal?
Thanks