Are there any drawbacks in bypassing consent?

batmanbegins 0 Reputation points
2023-03-25T14:40:33.2866667+00:00

I'm playing around with Graph API and delegated permissions. In all articles I've read so far, there is a need for consent handling, where the user needs to act in order to allow the app to act as him.

But... the whole consent experience is bypassable, right? If the user is redirected to a browser, I can't see technical reasons this couldn't all be dealt directly by the application (although I can imagine legal/regulatory reasons). But, surprisingly, no articles mention this, and maybe for a good reason.

Am I missing something? Are there any drawbacks in getting this route if my users really don't want to manually consent to anything?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,882 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,449 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 147.6K Reputation points MVP
    2023-03-25T15:18:03.0366667+00:00

    Personally, I would lock down automatic consents as much as possible:

    https://www.linkedin.com/pulse/why-you-should-really-care-mitigating-illicit-consent-tatu-sepp%C3%A4l%C3%A4/?trk=pulse-article_more-articles_related-content-card

    You can implement a consent workflow to allow trusted apps and trusted perms:

    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow

    I get your what you are asking, but I think a balance is needed here and teaching users to be aware of the apps they are using and understanding what they are allowing is a good thing and - along with the consent workflow - also protects your org.


  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.