How to handle "Admin Consent" in oauth flow?

Question

I have been tasked with making this admin consent flow to work in my app. I have seen the option to use the link for the admin to give consent for everyone but we have some security conscious customers that don't want to do that. https://login.microsoftonline.com/{tenant_id}/adminconsent?client_id={client_id}

My customer gets logged in and sees this screen:

They enter the justification and click request approval.

Then the user clicks the "Back to app". When they are redirected back to my app I get this request. https://my-app.com/oauth/authorized?error=access_denied&error_subcode=cancel&state={state}d&error_description=AADSTS65004%3a+User+declined+to+consent+to+access+the+app.

As far as my app knows they declined consent. But the email gets sent to the admin. They approve the consent, then the user gets an email saying the admin gave consent.

How do I continue from here and finish this flow after consent is given?

Answer 1

Hi @Alan Christensen

After obtaining administrator consent, when the user logs in to the application using the /authorize endpoint, there will no longer be a pop-up window "Administrator approval required", but an authorization code will be returned directly in the browser address bar. Next, you can use the authorization code to redeem an access token.

// Line breaks for legibility only

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=00001111-aaaa-2222-bbbb-3333cccc4444
&response_type=code%20id_token
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=fragment
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
&state=12345
&nonce=abcde
&code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
&code_challenge_method=S256

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.