question

RolandVaughn-5814 avatar image
0 Votes"
RolandVaughn-5814 asked EddieRowe-1108 answered

Approve app consent requests only for requesting user?

I am testing having users request access to enterprise applications. I am worried about a user mistakenly giving a malicious app access to their data. However, it appears that the only approval option is to grant admin consent on behalf of the entire organization. Even if the original request was only for user consent. That doesn't seem more secure. Shouldn't there be an option to only grant user consent on behalf of the requesting user?

Some clarification: In the Azure Portal under Enterprise applications > User Settings, there is an option, "Users can consent to apps accessing company data on their behalf". By default, this is set to "yes" and allows a user to provide user consent for only themselves if that is what the app requires. When I set this option to "No", the user has to request access to the app.

These requests are approved under Enterprise Applications > Admin consent requests. However, I can only provide admin consent for the entire directory even though the application only requires user consent and only one user wants it.

I think I should be able to grant consent for just the requesting user or be able to select the users the app has rights to.

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered RolandVaughn-5814 commented

@RolandVaughn-5814, If the user has submitted a Consent request for Admin Approval and administrator choose to "approve and consents", this consent is provided under admin context. That is why it is considered as Admin consent not user consent and is for entire tenant. As of now it is not possible by the administrator, as an approver, to provide consent for a specific user. You can post your feedback regarding this at https://feedback.azure.com.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks. I will post feedback.

0 Votes 0 ·
JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered

There are two types of permissions and consent. User Consent and Admin consent. If application needs basic permissions like sign in and read basic profile, user consent is enough and user can add application for himself. In such case you will find only user who granted consent assigned to the service principal. Some applications requires permissions where Admin consent is needed. In that case only admin can consent, either for himself or for the entire organization.

Check the Microsoft Graph Explorer application, any user can consent and add it and you will find only those users are assigned.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered

@RolandVaughn-5814, If you have provided delegated permissions which doesnt not require admin consent, but while the user tries to login, it still asks the user to login with an admin account, as this is expected that this will happen to some apps, if they meet the criteria. This is documented as one of the "unexpected consent errors" here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error

  • AADSTS90093: <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.

  • AADSTS90094: <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

We termed those permissions as illicit permissions and if the control in the backend identifies any of those permissions which looks illicit, it would ask the user to get an admin consent to the delegated permissions too.

That said, if this is a valid, non-malicious app we do want to make sure the developer is not blocked on this going forward. In order to get them unblocked immediately, the consent request can be sent to an admin for review and potential approval.

In this case, an audit event will also be logged with a Category of "ApplicationManagement", Activity Type of "Consent to application" and Status Reason of "Risky application detected".

We have a bug right now where the Status Reason shows up as long value, but its very obvious that it correlates to this specific behavior


the current status reason will be "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException"

This is a default behavior now for OAuth Apps seeking User Consent based on the update pushed for all the tenants as a part of the security measure.


Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.








5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RolandVaughn-5814 avatar image
0 Votes"
RolandVaughn-5814 answered soumi-MSFT commented

Some clarification: In the Azure Portal under Enterprise applications > User Settings, there is an option, "Users can consent to apps accessing company data on their behalf". By default, this is set to "yes" and allows a user to provide user consent for only themselves if that is what the app requires. When I set this option to "No", the user has to request access to the app.

These requests are approved under Enterprise Applications > Admin consent requests. However, I can only provide admin consent for the entire directory even though the application only requires user consent and only one user wants it.

I think I should be able to grant consent for just the requesting user or be able to select the users the app has rights to.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RonaldVaughn-5814, You are correct, those options do allow users to consent for the delegated permissions that are available on the application for the user to provide their consent on. But the update that I shared on the previous response of mine even overrides this. A better fix to this is to always opt for the option "Admin Consent requests".
8631-adminconsentrequests.png

This is something to go with is what we are recommending for now.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·
EddieRowe-1108 avatar image
0 Votes"
EddieRowe-1108 answered

@RolandVaughn-5814 Did you get this figured out? I am seeing the same thing that you see and I can only approve an app at the organization level. The Azure AD portal doesn't let met block or deny the request...the only option enabled is to "Review permissions and consent". Another web gives me the impression we should be able to allow an app just for ONE user, but when you follow the hyperlink the page was written for developers or by someone who has no idea how the web page we are using works. I don't want to build anything...just looking for a way to protect the organization and IF push comes to shove, allow a specific app for a specific user.

"Instead of granting consent for the entire organization, an administrator can also use the Microsoft Graph API to grant consent to delegated permissions on behalf of a single user. For more information, see Get access on behalf of a user.".

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-consent-requests

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.