Share via

Questions on OIDC Permissions request prompt

Fabio Carvalho 20 Reputation points
2023-06-08T14:50:33.0466667+00:00

Hello,

I am not sure if I will phrase this question correctly but I would like to know what happens "in the background" when you accept the prompt to grant a 3rd party permissions to AzureAD for SSO using OIDC.

Specifically I want to setup SSO for my company's Adobe licenses and Adobe seems to prefer an OIDC config. This link has more info - (https://helpx.adobe.com/enterprise/using/sso-setup-azure.html). This process does seem a lot easier BUT I get concerned when I see the prompt asking to Accept the request to grant permissions.   I am uncertain what that is doing "under the covers".   What am I granting specifically?   Is there anything I should be concerned about or rather should I investigate what permissions I granted after I accept?    Also, as a best practice, what user account should I use when setting up OIDC connections like this when you get prompted to grant permissions?   I presume it needs to be a GA?   Perhaps I should set up a user account to be used solely for setting up these types of connections?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,961 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator
    2023-06-09T09:54:29.8266667+00:00

    @Fabio Carvalho

    Thank you for posting your query on Microsoft Q&A, from the above description I could understand you want advise on : What happens when user consent is requested while accessing any application?

    Please do correct me if this is not the case by responding in the comments section.

    Before an application can access your organization's data, a user must grant the application permissions to do so. Different permissions allow different levels of access. By default, all users are allowed to consent to applications for permissions that don't require administrator consent. For example, by default, a user can consent to allow an app to access their mailbox but can't consent to allow an app unfettered access to read and write to all files in your organization.

    PFB example for reference:

    • The below screenshot shows an application which have IMAP.AccessAsUser.All permission granted but it does not require Admin consent from Global Admin :

    User's image

    • And my test tenant User consent settings are set to Allow user consent for apps (All users can consent for any app to access the organization's data.).

    User's image

    • Such application when accessed by the user requests "User Consent" to access the "mailbox" of the same user.

    User's image

    • However if you don't want this to happen, then we can block it by updating User consent settings to Do Not Allow user consent (An administrator will be required for all apps.).

    User's image

    • This would require the user to send approval request to the admin every time any app requires consent to access organization data on behalf of the user.

    User's image

    • Then admin may review and decide if access should be granted or denied for the application.

    User's image

    Please do let me know if you have any queries in the comments section,

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.