reverting admin consent

Idan Gazit 21 Reputation points
2020-10-01T12:32:03.87+00:00

I have an enterprise application which other tenant did consent to grant my application specific permissions. is there anything that me as the enterprize application can do in order to remove these permissions so that my application will no longer have them?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,613 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. soumi-MSFT 11,771 Reputation points Microsoft Employee
    2020-10-01T13:22:19.777+00:00

    Hi @Idan Gazit , thank you for reaching out. Before getting to the answer to the above query, let me share some details about the application structure in AAD. When you try to register an application in AAD, it creates two objects in it, one called the Application Object and the other is called the Service Principal Object. Now the permissions to any application are added, gets added in the application object, and once the user or admin provides consent to those permissions that consent to the permission gets recorded in the service principal object of that application. [refer to the screenshot below]

    29683-serviceprincipalconsent.png

    When you create a multi-tenant application and share it with other tenants, and when they access your application and start using it, a service principal object gets created in their own tenant, which holds the record of the consents being provided by users of their organization.

    Now coming to your query, where you wanted to understand if you can revoke the admin consent/ user consents from your own tenant for a multi-tenant application, the answer to that is no, you cannot do that as the consents get registered in the tenant where the user belongs and the consents on the Service Principal Object (as shown in the screenshot above) cannot be deleted or revoked.

    For deleting/revoking an admin consent/user consent, you would need to `do that through the application object in the App Registration blade, where you have added actual permissions. [refer to the screenshot below]

    29692-revokepermission.png

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    1 person found this answer helpful.
    0 comments No comments

  2. soumi-MSFT 11,771 Reputation points Microsoft Employee
    2020-10-06T06:33:13.637+00:00

    Hello @Idan Gazit , I would like to apologize for the delay in my response here. First of all, in this case, there is only one app i.e App1, which you have developed and registered in your AAD tenant. Now since your App1 is a multitenant app, hence other tenants can use this app, by registering App1 in their tenants too. Now when you registered your App1 in your own tenant, two objects got created Application Object (with a unique application ID) and Service Principal Object (with a unique object ID). When some other user from some other tenant, tries to add this application App one in their tenant, in their tenant only the Service Principal object of this App1 gets registered.

    Now how this application instance of App1 that is registered in that other remote tenant is related to the app that you registered in your tenant?
    The answer to that is by the Application ID. Let me explain, as mentioned above when the app is registered in your own tenant, it gets a unique Application ID and unique Service Principal Object ID. When this multi-tenant app gets registered in some other tenant, the application ID remains the same but a new Service Principal Object ID gets generated. So both the app instances are connected through the Application ID.

    Now the interesting part is, if today you add a Graph API permission, let's say email.read onto App1 registered in your own tenant, then when users of the other tenant would access App1, they would be asked to consent for this new permission Email.read. But neither the admin nor the users can revoke the permissions that you are setting up on App1 in your tenant since the app registered in their tenant is an instance of your App1. Whatever changes you perform no App1 registered in your tenant, would get reflected all its instances across tenants. Only you as an admin of this app sitting in your own tenant can add, remove, or revoke permissions.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. If you feel the explanation still doesn't answer your query well, I would request you to drop an email to azcommunity[at]microsoft[dot]com mentioning this thread, so that it helps me recognize the email and it would be quicker to reach back to you sooner offline.

    Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    1 person found this answer helpful.
    0 comments No comments

  3. Idan Gazit 21 Reputation points
    2020-10-04T08:36:09.53+00:00

    Thanks soumi-MSFT very much!

    Just want to see if I am getting it:

    App1 is my multitenant application
    App2 is the customer tenant

    The admin of App2 wants to grant permission to access his app(e.g Mail.Read), to my App1. he is consenting for the permissions that my App1 is requesting and then a servicePrincipal object is created in the customer App2 tenant.

    If I as App1 have the permissions I can delete my app from the list of servicePrincipals of App2(https://learn.microsoft.com/en-us/graph/api/serviceprincipal-delete?view=graph-rest-1.0&tabs=http), and then there will be no more "connections" between the apps(the permissions that I have on App2 will be revoked).

    But, there is no way that I can delete this connection between the apps (revoke these permissions) by doing a proactive HTTP request (graphAPI), I mean, just like App2 has servicePrincipal objects, isn't my App1 holding an object that represents the tenants that are "connected" to it?

    0 comments No comments