Share via

Admin consent via token grant flow for Graph application permissions

KrzysztofWroblewski-0311 20 Reputation points
2024-04-12T08:35:55.6166667+00:00

The documentation for granting admin consent (in our case, to grant application permissions) instructs us to redirect the user to the admin consent endpoint (/adminconsent).

It seems that it's also possible to prompt for admin consent as part of an OAuth 2 token grant flow, e.g. the auth code flow, skipping the admin consent endpoint altogether. The token grant flow is useful because it could allow us to take care of admin consent and obtain ID/access tokens in a single step, resulting in simpler UX.

Could you confirm that using the /authorize endpoint to complete admin consent for granting application permissions is a valid approach?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments

Answer accepted by question author

CarlZhao-MSFT 46,456 Reputation points
2024-04-15T09:36:22.46+00:00

Hi @KrzysztofWroblewski-0311

Yes, based on my testing, I can confirm that this is the expected behavior.

When you log in as an administrator to the /authorize endpoint and set the scope to https://graph.microsoft.com/.default, your administrator will be able to grant admin consent on behalf of the organization for all permissions, including application permissions. As such, there is no difference between this and the /adminconsent endpoint.

It is important to note that the /adminconsent endpoint is for organization-level consent, while the /authorize endpoint allows the logged-in user to grant user consent.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Was this answer helpful?

1 person found this answer helpful.
0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 46,456 Reputation points
    2024-04-12T08:59:43.4366667+00:00

    Hi @KrzysztofWroblewski-0311

    No, the /authorize endpoint can only grant user or admin consent for the logged-in user, which is specific to delegated permissions and not application permissions.

    Application permissions are organization-wide and can only be granted admin consent by the /adminconsent endpoint or the Azure portal.

    If the reply helps, don't forget to accept it as an answer. Thanks!

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.