Admin consent via token grant flow for Graph application permissions

KrzysztofWroblewski-0311 20 Reputation points
2024-04-12T08:35:55.6166667+00:00

The documentation for granting admin consent (in our case, to grant application permissions) instructs us to redirect the user to the admin consent endpoint (/adminconsent).

It seems that it's also possible to prompt for admin consent as part of an OAuth 2 token grant flow, e.g. the auth code flow, skipping the admin consent endpoint altogether. The token grant flow is useful because it could allow us to take care of admin consent and obtain ID/access tokens in a single step, resulting in simpler UX.

Could you confirm that using the /authorize endpoint to complete admin consent for granting application permissions is a valid approach?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,044 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,801 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 42,031 Reputation points
    2024-04-15T09:36:22.46+00:00

    Hi @KrzysztofWroblewski-0311

    Yes, based on my testing, I can confirm that this is the expected behavior.

    When you log in as an administrator to the /authorize endpoint and set the scope to https://graph.microsoft.com/.default, your administrator will be able to grant admin consent on behalf of the organization for all permissions, including application permissions. As such, there is no difference between this and the /adminconsent endpoint.

    It is important to note that the /adminconsent endpoint is for organization-level consent, while the /authorize endpoint allows the logged-in user to grant user consent.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. CarlZhao-MSFT 42,031 Reputation points
    2024-04-12T08:59:43.4366667+00:00

    Hi @KrzysztofWroblewski-0311

    No, the /authorize endpoint can only grant user or admin consent for the logged-in user, which is specific to delegated permissions and not application permissions.

    Application permissions are organization-wide and can only be granted admin consent by the /adminconsent endpoint or the Azure portal.


    If the reply helps, don't forget to accept it as an answer. Thanks!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.