What does "grant admin consent" button do in azure Azure Active Directory application?

About

Asked 12/10, 2019 at 8:10 Answered 13/10, 2019 at 14:36

Solved azure-active-directory azure-ad-graph-api

We have configured an azure active directory application so that the users to our website can log in via their Microsoft accounts. The problem is that if we do not grant admin access then the Sign in to the application fails with the error code AADSTS650056:

Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration.

We are skeptical to click on "Grant admin consent" fearing that it may expose any vulnerability. Is this the right way to proceed? If not what are the alternatives so that this kind of consent is bypassed?

Adjunct answered 12/10, 2019 at 8:10 Comment(2)

If I am right, your application is requesting the permissions to Azure AD Graph https://graph.windows.net, but you have added only permissions for Microsoft Graph https://graph.microsoft.com. Try to add Azure AD Graph permissions or change the permissions request to Microsoft Graph in your application and you should not get this error. – Diffract 12/10, 2019 at 20:53

Yeah, try adding the same permission from "Windows Azure Active Directory" (azure ad graph API), it should be under "legacy APIs". It's a bit odd that it would still be required though :/ – Obsolete 13/10, 2019 at 8:43

Each application registers permissions it requires. Some permissions can be granted by users, some other only by the administrator.

Let's suppose you have only permissions that can be consented by users. The first time they use the application, they'll be prompted (each user) to consent those permissions to the application. If in the same scenario you click on grant admin consent, it is the equivalent of accepting it for all users on the tenant.

Now let's suppose the application registers permissions that require admin consent, you have no choice but to click that button if you want the application to work and be able to request tokens.

These permissions that require admin consent are permissions that either allow access to more or sensitive data in the organization.

Cleaver answered 13/10, 2019 at 14:36 Comment(1)

Great answer, just as an fyi to anyone looking for permissions - it will require Global Admin or Privileged Role Admin (for most use cases). Documentation here – Brita 15/4 at 14:19

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags