Does a call to "https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?client_id=

GM 136

Consider the have the following scenario:

SaaS service uses a multi-tenant Azure AD app to access resources located in the M365 tenant of the service customers
When onboarding a new account, the service explicitly request admin consent for our app (using variant of `https://login.microsoftonline.com/{customer_tenant_id}/v2.0/adminconsent?client_id=

CarlZhao-MSFT 40,311 Reputation points

2022-10-05T02:55:05.437+00:00

Hi @GM
You mean your tenant admin can't check what permissions have been consent for that multi-tenant application?

Accepted answer

Vasil Michev 100.2K Reputation points MVP

2022-10-05T06:54:43.17+00:00

Yes, querying the /adminconsent endpoint will always result in triggering the consent dialog. If you want to check the current consent state, obtain an access token and check the scopes/roles therein. Only then, if needed, trigger a request against the /adminconsent endpoint.
Refer to this article for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validate-user-permission
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

1 additional answer

GM 136 Reputation points

2022-10-05T19:47:54.807+00:00

Thank you @Vasil Michev . Your suggestion will work great!
Please sign in to rate this answer.

0 comments No comments
Sign in to comment