Does a call to "https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?client_id=

GM 136 Reputation points
2022-10-04T20:44:20.79+00:00

Consider the have the following scenario:

  • SaaS service uses a multi-tenant Azure AD app to access resources located in the M365 tenant of the service customers
  • When onboarding a new account, the service explicitly request admin consent for our app (using variant of `https://login.microsoftonline.com/{customer_tenant_id}/v2.0/adminconsent?client_id=
Not Monitored
Not Monitored
Tag not monitored by Microsoft.
36,576 questions
{count} votes

Accepted answer
  1. Vasil Michev 97,231 Reputation points MVP
    2022-10-05T06:54:43.17+00:00

    Yes, querying the /adminconsent endpoint will always result in triggering the consent dialog. If you want to check the current consent state, obtain an access token and check the scopes/roles therein. Only then, if needed, trigger a request against the /adminconsent endpoint.
    Refer to this article for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validate-user-permission

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. GM 136 Reputation points
    2022-10-05T19:47:54.807+00:00

    Thank you @Vasil Michev . Your suggestion will work great!

    0 comments No comments