Azure AD + Graph API: How to reconsent after new permissions?

2
votes

I have an application registration in Azure AD which has some Graph API delegated permissions set for it.

The application is simply a page in SharePoint that is making the Graph calls, authenticating with the ADAL.js library.

I now want to make an additional Graph call on the page to a new Graph API endpoint so I need to assign the application an additional permission. I set this permission in Azure AD and save. However, the user accessing the SharePoint page is never asked to reconsent to the new permissions, therefore the new Graph call fails with a 401 Unauthorised message.

I have tried this with a number of different endpoints and permissions, and I am sure I am setting the correct permissions in the application.

How can I have the consent dialog appear for users automatically when the application permissions change?

Admin consent is not an option.

1
azureazure-active-directorymicrosoft-graph-apiadalazure-ad-graph-api
Are you using Azure AD v1 or v2?Gaurav Mantri
Sorry I'm not sure - how can I check? I'm using the new Azure interface, if that's what you're asking...Submits
I have just discovered something interesting: the app appears at aad.portal.azure.com but not at apps.dev.microsoft.com. I'm not sure what the difference is, but this may answer your question.Submits
In this case you're using Azure AD v1. Let me propose a solution in a bit.Gaurav Mantri

1 Answers

5
votes

I remember having a discussion about this with a member of Azure AD team some time back and this is what he had suggested at that time (though I never tried it so it may not work).

Essentially what he suggested is that when you get Unauthorized (401) error, you redirect the user to Azure AD login again i.e. follow OAuth authorization flow again but include prompt=consent in the sign in URI. This will present the user a consent page with latest permissions. Once the user consents to the latest permission, you can redirect the user back to your application. You may find this link helpful for understanding different values for propmpt parameter: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code.

Again, I have not tried this personally so it may not work. If it doesn't, please let me know and I will remove my answer.