How to grant application permissions with dynamic scope using admin consent v2 end point

Piyumi Perera 121 Reputation points
2021-06-11T05:44:00.267+00:00

I am working in Azure Application registration process to grant application permissions using V2 end point.

I have added "Mail.Read" as an application permission to the azure app
I have used following URL to give admin consent with specified scope as "Mail.Read".

  https://login.microsoftonline.com/ff63ebda-8bfe-4e14-aba1-504db5c53970/v2.0/adminconsent ?client_id=34dbd899-c9fa-415f-8646-28c644baf3ec &scope=https://graph.microsoft.com/Mail.Read &redirect_uri=https://google.com &state=12345  

I accept the requested permission without an issue.

104555-consent-1-mailread.png

I checked the given permission after accepting and Mail.Read permission is added as "Delegated Permission" which is not the expected behavior.

104577-delegated-mailread.png

Then I tried to give consent using default scope(https://graph.microsoft.com/.default).

https://login.microsoftonline.com/ff63ebda-8bfe-4e14-aba1-504db5c53970/v2.0/adminconsent ?client_id=34dbd899-c9fa-415f-8646-28c644baf3ec &scope=https://graph.microsoft.com/.default &redirect_uri=https://google.com &state=12345  

I accept the permissions successfully.

104612-consent-1-default.png

Then permission is added as application permission which is the expected behavior.

104595-apppermission.png

My requirement is to use admin consent v2 end point with specified scopes to grant application permissions. I need to know what is the possible way of doing that using admin consent v2 end point.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,045 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,802 questions
{count} vote

Accepted answer
  1. AmanpreetSingh-MSFT 56,616 Reputation points
    2021-06-11T08:04:32.883+00:00

    Hi @Piyumi Perera · Thank you for reaching out.

    As of now, the tenant administrator can only approve all application permissions that you have added for your app in the app registration portal. When you specify a particular permission in your call to adminconsent endpoint, it uses the concept of Dynamic Consent and adds the permissions as delegated permissions. Application permissions don't support dynamic consent as of now, which means new application permissions can't be added dynamically by adding to the the scope parameter in the authentication call or to the call for adminconsent endpoint. Existing Application permissions can't be consented individually and all application permissions added to the applications needs to be consented by the admin.

    Which means, you can use:

    the results will be same.

    Read more: Request the permissions from a directory admin

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Vasil Michev 106.2K Reputation points MVP
    2021-06-11T07:08:31.567+00:00

    When using the application permission model, you can only have static scope assignments. Only the delegate permission model allows for incremental consent/dynamic scopes.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.