How to configure app registration to display scope of "dependent" app registration in consent screen?

Question

How to configure app registration to display scope of "dependent" app registration in consent screen?

Matthias Grosperrin 0

Hi,

I am building a set of WebApp & API, one depending on the others, and I am trying to configure the app registrations to propose the simpliest consent scenario to my users.

Ideally, I would like to have only one consent screen, showing the scopes for the WebApp itself and the scopes for all "dependent" API.

For now, I am able to configure the app registrations with the preAuthorizedApplications and knownClientApplications but it "only" allow me to request an access token for the API. This token doesn't allow the API to request token to call MS Graph API (for example).

Is there a way to do it?

JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-08-14T20:22:42.71+00:00

@Matthias Grosperrin

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2023-08-17T08:23:17.1166667+00:00

Hi @Matthias Grosperrin ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 answer

Your answer

JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-08-14T20:22:42.71+00:00

@Matthias Grosperrin

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2023-08-17T08:23:17.1166667+00:00

Hi @Matthias Grosperrin ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

Shweta Mathur 30,431 Microsoft Employee Moderator

Hi @Matthias Grosperrin ,

Thanks for reaching out.

You can achieve this by using the On-Behalf-Of flow. The On-Behalf-Of flow is used to obtain a token to call a downstream API, on behalf of a user. In your case, the WebApp will obtain an access token for itself and an access token for the API, on behalf of the user. The API can then use the access token it obtained to call the Microsoft Graph API.

To implement the On-Behalf-Of flow, you need to configure the app registrations for both the WebApp and the API. The WebApp will need to request an access token for itself and an access token for the API, using the user's access token. The API will need to validate the access token it received from the WebApp and use it to call the Microsoft Graph API.

Reference - https://www.youtube.com/watch?v=M5yXU6oWchU

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Matthias Grosperrin 0 Reputation points

2023-08-17T09:05:48.5633333+00:00

Hi @Shweta Mathur,

Thanks for your reply!

It partially answer my question.

In the docs, there is no sample on how to configure the App Registration to use the .default scope. All I see is that I have to declare the App Registration of my WebApp in the knownClientApplications property of the App Registration of my API.

I also try to add it in the preAuthorizedApplications, but I can't select the .default scope. Do I have to create it manually? And if I do, will it have the same meaning?

Thanks again for your help.

Matthias
Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2023-08-21T08:11:46.6633333+00:00

The .default scope is used to refer generically to a resource service (API) in a request, without identifying specific permissions. If consent is necessary, using .default signals that consent should be prompted for all required permissions listed in the application registration.

To use the .default scope, you don't need to create it manually. You can simply use the identifier URI for the resource and .default, separated by a forward slash (/). eg https://graph.microsoft.com/.default

.default scope is used for apps that run as background services or daemons. It's appropriate when it's undesirable to have a specific user signed in, or when the data required can't be scoped to a single user.

Regarding the configuration of the App Registration to use the .default scope, you need to declare the App Registration of your WebApp in the knownClientApplications property of the App Registration of your API. This is because the .default scope is used to refer generically to a resource service (API) in a request, without identifying specific permissions**.**

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.
Matthias Grosperrin 0 Reputation points

2023-08-22T07:52:12.37+00:00

Hi,

Thanks for your answer.

I am not sure to understand what to do next however :).

I am especially surprised by this statement:

.default scope is used for apps that run as background services or daemons. It's appropriate when it's undesirable to have a specific user signed in, or when the data required can't be scoped to a single user.

My use case is not tied to a background service.

I have an API (LicensingAPI) that is called by my ProductAPI to know if the current user has purchased a license. If the LicensingAPI doesn't know about the user, it will create a new account with a free account. The account need to have the tenant name (to give it to the ProductAPI to let it call SharePoint APIs), so it have to call Microsoft Graph with the scope User.Read.

My ProductAPI is called by either a ProductWebApp that I develop, or by component run in SharePoint (there is some mecanisms in SharePoint to allow me to get a AAD token to call my ProductAPI).

Currently, I have define a scope in LicensingAPI (user_impersonation), set ProductAPI as a knownClientApplications of LicensingAPI, and add ProductAPI in preAuthorizedApplications with the permissionId/Scope user_impersonation.

When I approve the ProductAPI, I am able to get an access token to call LicensingAPI, but in LicensingAPI, I can't get a token to call MS Graph.

Again, what I would like to be able to have only one consent screen for the ProductAPI/ProductWebApp (both tier use the same App Registration) to will consent for all App Registration (ProductAPI & its own required scope, LicensingAPI & its own required scope).
Matthias Grosperrin 0 Reputation points

2023-09-12T11:56:03.6166667+00:00

Hi @Shweta Mathur ,

Did you had the time to look at my problem?

I saw someone doing something similar (or at least with an acceptable UX):

Here I have a "multistep" screen to consent to 2 applications with only one redirect.

Here is the link of the first redirection if it can help:

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=ae16e128-c76e-4a38-8e06-0927912b59d9&scope=api://myhub.avepointonlineservices.com/478c769e-bab3-4049-9cfc-302d08a232bf/Workspace.Manage&redirect_uri=https://myhub-admin.avepointonlineservices.com/logon&state=https%3A%2F%2Fmyhub-admin.avepointonlineservices.com%2F%23%2F

Thanks again for your help.

Matthias

Share via

How to configure app registration to display scope of "dependent" app registration in consent screen?

1 answer

Your answer