Prompt=consent when requiring admin approval results in the oauth flow never working

Daniel Dunér 1

Hi, I have built an application where I require some permissions that needs admin consent. This ends up with the oauth flow asking for consent each time not noticing that the request was approved? Do you have a solution to this?

If I don't have prompt=consent, the user will not be shown which permission they consent to by logging in, which I want them to see.

1 answer

Vasil Michev 95,836 Reputation points MVP

2022-11-24T14:55:43.97+00:00

This is by design - if you specify said parameter, the consent process will always be triggered. In fact, this is one of the scenarios explicitly flagged in the "troubleshooting consent" article: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt
If a given user hasn't already consented to your app or no admin consent was granted, they will be prompted to do so, whether you include this parameter or not. There is no need to use it with every request.
Please sign in to rate this answer.
Daniel Dunér 1 Reputation point

2022-11-24T15:04:06.477+00:00

I might misunderstand this, but when I request approval, I understand that the intitial request counts as denied and untill my admin approves, no consent has been given to the app? But the next time I try to do this after the approval form the admin, I expect to be shown atleast the consents that requires the users own approval? and also If another user in the same organization tries to connect to the app, I assume that they need to approve something? or have the admin approved everything for the app, meaning now all users in that organization has access and thus is not shown a consent prompt?

Vasil Michev 95,836 Reputation points MVP

2022-11-24T15:30:23.553+00:00

It depends on what permissions the app requires and the tenant configuration. Many of the delegate-level permissions do not require admin consent, thus each user can consent individually, without an admin ever having to approve anything, or even see the request. Tenants can however configure which permissions can be granted by end users, so the experience might vary across different organizations. But forcing prompt=consent can result in users being blocked from using the app, as described in the article above.

On the other side of the spectrum, you can request the permissions to be granted to the entire organization via admin consent (prompt=admin_consent). Once this is done, each individual user can start using the application directly, no consent or anything needed.

Daniel Dunér 1 Reputation point

2022-11-25T07:22:44.11+00:00

okay, and having prompt_admin consent won't, create the same problem?

Vasil Michev 95,836 Reputation points MVP

2022-11-25T09:43:53.7+00:00

You're missing the point - there is no need to force this parameter on each request. If you want to make sure your app will run with all the required permissions, decode the token(s) and examine the roles/scopes therein. Only then, request consent, if needed.
And because you're mixing delegate/application permissions, you will need two separate tokens - one for each permission type.
Sign in to comment