Admin consent via token grant flow for Graph application permissions

Question

The documentation for granting admin consent (in our case, to grant application permissions) instructs us to redirect the user to the admin consent endpoint (/adminconsent).

It seems that it's also possible to prompt for admin consent as part of an OAuth 2 token grant flow, e.g. the auth code flow, skipping the admin consent endpoint altogether. The token grant flow is useful because it could allow us to take care of admin consent and obtain ID/access tokens in a single step, resulting in simpler UX.

Could you confirm that using the /authorize endpoint to complete admin consent for granting application permissions is a valid approach?

Answer 1

Hi @KrzysztofWroblewski-0311

Yes, based on my testing, I can confirm that this is the expected behavior.

When you log in as an administrator to the /authorize endpoint and set the scope to https://graph.microsoft.com/.default, your administrator will be able to grant admin consent on behalf of the organization for all permissions, including application permissions. As such, there is no difference between this and the /adminconsent endpoint.

It is important to note that the /adminconsent endpoint is for organization-level consent, while the /authorize endpoint allows the logged-in user to grant user consent.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Answer 2

Hi @KrzysztofWroblewski-0311

No, the /authorize endpoint can only grant user or admin consent for the logged-in user, which is specific to delegated permissions and not application permissions.

Application permissions are organization-wide and can only be granted admin consent by the /adminconsent endpoint or the Azure portal.

---

If the reply helps, don't forget to accept it as an answer. Thanks！