AzureAD Custom Consent Policy (Permission Grant Policy / Authorization Policy) broken?

Ben Hatton 1 Reputation point
2021-11-07T08:51:06.373+00:00

Does anyone here have a working custom consent policy applied to default user role? Is it broke?

I tested this about 6 months ago and it was working perfectly and showed that users could be given the ability to self consent to a specific set of delegated permissions, including 'admin' permissions like Files.ReadWrite. Now, when making a custom policy with an includes permissiongrantconditionset, users are blocked from self-consenting to any permissions whether in the policy or not, whether they are marked as admin or not (e.g. for sample below, user cannot consent to User.Read or openid). See below for sample code (I have redacted so hopefully I didn't break it in the process). APAC Azure support is useless and I can't get this escalated past level 1.

<powershell> 

$spGraph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
New-AzureADServicePrincipal -AppId '{xxx}'  # might get an error here if already in the tenant
$spApp = Get-AzureADServicePrincipal -Filter "AppId eq '{xxx}'"

New-AzureADMSPermissionGrantPolicy -Description 'All whitelisted applications approved for delegated consent by end users' -DisplayName 'Default User Consent Whitelist' -id 'whitelist-default'
Set-AzureADMSAuthorizationPolicy -Id 'authorizationPolicy' -PermissionGrantPolicyIdsAssignedToDefaultUserRole @('managePermissionGrantsForSelf.whitelist-default')

$resource = $spGraph
$permissions = $resource.Oauth2Permissions
$perms = @()
$perms += ($permissions |Where-Object {$_.Value -eq 'Files.ReadWrite'}).Id
$perms += ($permissions |Where-Object {$_.Value -eq 'User.Read'}).Id
$perms += ($permissions |Where-Object {$_.Value -eq 'openid'}).Id

$apps = @()
$apps += $spApp.AppId

New-AzureADMSPermissionGrantConditionSet -PolicyId 'whitelist-default' -ConditionSetType 'includes' -PermissionType 'delegated' -ClientApplicationIds $apps -ResourceApplication $resource.AppID -Permissions $perms

</powershell>

Testing the effect by using a URL like this: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize?client_id={xxx}&response_type=code&scope=https%3A%2F%2Fgraph.microsoft.com%2FUser.Read

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,651 questions