Can we provide Azure app admin consent on a per-user basis?

Question

From what I tell, apps that run in background require admin consent but the limitations of the API Consent model effectively breaks O365 security. Programs are being written that allow users to bypass the in-app permissions configured in Outlook, SharePoint, OneDrive, etc.

For example, one of our divisions has a program for dispatching service personnel and it must be able to add items to their Outlook calendars. Traditionally, we setup a user for the program to use and gave that user rights to the 20 or so accounts it needed to manage. With the new API consent model, we have to give admin consent for the Azure app to have access to the entire company’s calendars; over 400 people. This in turn gives the administrators of the program access to calendars of everyone in company, from the CEO to the HR manager.

Here is another example. We have a program that pulls content from SharePoint sites and OneDrive for business. Again, traditionally we setup a user for that program to use and granted rights for the assets that program needed. Again, the developers wrote a Azure APP that requires admin consent. So now the users of that program can open documents from anyone’s OneDrive.

This seems like a major issue to me and Microsoft is requiring developers to use it for modern authentication in the future.

Answer 1

if you still want to use approach based on user (aka service) account you have to force developers of the apps to use delegated permissions. If these apps are not under your control and they require app permissions (auth based on client id and secret) there is not that many options available:

• choose another app
• restrict access to the app like said here Grant tenant-wide admin consent to an application

When an application has been granted tenant-wide admin consent, all users will be able to sign in to the app unless it has been configured to require user assignment. To restrict which users can sign in to an application, require user assignment and then assign users or groups to the application

Answer 2

@Roland Vaughn
Thank you for the detailed post! When it comes to AzureAD applications and admin consent, have you looked into delegated permissions over application permissions?

Delegated Permissions:
This specifies scope-based access, and is typically used when you want to call the API as the logged in user. The API is using delegated authorization from the signed-in user/resource owner. For example, if the user is a User Administrator, and they're calling the API to manage MFA permissions/config, the API won't be able to complete the operation due to insufficient permissions from the signed in user.

Application Permissions:
Application permissions are used when the application calls the API as itself. For example, to get the weather forecast for a certain zip code (it does not matter which user is logged on). The client can even call the API when there's no user present (some background service calling the API to update some status).

For more information.

Additional Links:
Azure AD App Application Permissions vs Delegated Permissions

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Answer 3

@JamesTran-MSFT
The problem is that these are third-party applications. I can't control if they request delegated or application permissions. I would like to control what they have access to like I used to be able to.

Answer 4

I was afraid that was the answer. Pretty unacceptable IMO.