Approve app consent requests only for requesting user?

Roland Vaughn 51 Reputation points
2020-05-20T15:28:10.977+00:00

I am testing having users request access to enterprise applications. I am worried about a user mistakenly giving a malicious app access to their data. However, it appears that the only approval option is to grant admin consent on behalf of the entire organization. Even if the original request was only for user consent. That doesn't seem more secure. Shouldn't there be an option to only grant user consent on behalf of the requesting user?

Some clarification: In the Azure Portal under Enterprise applications > User Settings, there is an option, "Users can consent to apps accessing company data on their behalf". By default, this is set to "yes" and allows a user to provide user consent for only themselves if that is what the app requires. When I set this option to "No", the user has to request access to the app.

These requests are approved under Enterprise Applications > Admin consent requests. However, I can only provide admin consent for the entire directory even though the application only requires user consent and only one user wants it.

I think I should be able to grant consent for just the requesting user or be able to select the users the app has rights to.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,425 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-05-20T17:47:15.133+00:00

    @Roland Vaughn , If the user has submitted a Consent request for Admin Approval and administrator choose to "approve and consents", this consent is provided under admin context. That is why it is considered as Admin consent not user consent and is for entire tenant. As of now it is not possible by the administrator, as an approver, to provide consent for a specific user. You can post your feedback regarding this at https://feedback.azure.com.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jai Verma 461 Reputation points
    2020-05-20T16:11:09.083+00:00

    There are two types of permissions and consent. User Consent and Admin consent. If application needs basic permissions like sign in and read basic profile, user consent is enough and user can add application for himself. In such case you will find only user who granted consent assigned to the service principal. Some applications requires permissions where Admin consent is needed. In that case only admin can consent, either for himself or for the entire organization.

    Check the Microsoft Graph Explorer application, any user can consent and add it and you will find only those users are assigned.

    0 comments
  2. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-05-20T16:28:05.617+00:00

    @Roland Vaughn , If you have provided delegated permissions which doesnt not require admin consent, but while the user tries to login, it still asks the user to login with an admin account, as this is expected that this will happen to some apps, if they meet the criteria. This is documented as one of the "unexpected consent errors" here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error

    • AADSTS90093: <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.
    • AADSTS90094: <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

    We termed those permissions as illicit permissions and if the control in the backend identifies any of those permissions which looks illicit, it would ask the user to get an admin consent to the delegated permissions too.

    That said, if this is a valid, non-malicious app we do want to make sure the developer is not blocked on this going forward. In order to get them unblocked immediately, the consent request can be sent to an admin for review and potential approval.

    In this case, an audit event will also be logged with a Category of "ApplicationManagement", Activity Type of "Consent to application" and Status Reason of "Risky application detected".

    We have a bug right now where the Status Reason shows up as long value, but its very obvious that it correlates to this specific behavior

    the current status reason will be "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException"

    This is a default behavior now for OAuth Apps seeking User Consent based on the update pushed for all the tenants as a part of the security measure.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments
  3. Roland Vaughn 51 Reputation points
    2020-05-20T17:09:24.28+00:00

    Some clarification: In the Azure Portal under Enterprise applications > User Settings, there is an option, "Users can consent to apps accessing company data on their behalf". By default, this is set to "yes" and allows a user to provide user consent for only themselves if that is what the app requires. When I set this option to "No", the user has to request access to the app.

    These requests are approved under Enterprise Applications > Admin consent requests. However, I can only provide admin consent for the entire directory even though the application only requires user consent and only one user wants it.

    I think I should be able to grant consent for just the requesting user or be able to select the users the app has rights to.

  4. Eddie Rowe 11 Reputation points
    2021-04-04T20:24:14.447+00:00

    @Roland Vaughn Did you get this figured out? I am seeing the same thing that you see and I can only approve an app at the organization level. The Azure AD portal doesn't let met block or deny the request...the only option enabled is to "Review permissions and consent". Another web gives me the impression we should be able to allow an app just for ONE user, but when you follow the hyperlink the page was written for developers or by someone who has no idea how the web page we are using works. I don't want to build anything...just looking for a way to protect the organization and IF push comes to shove, allow a specific app for a specific user.

    "Instead of granting consent for the entire organization, an administrator can also use the Microsoft Graph API to grant consent to delegated permissions on behalf of a single user. For more information, see Get access on behalf of a user.".

    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-consent-requests

    0 comments