Today it appears the only way to grant OAuth consent as an admin for an Azure Active Directory application is via the Azure portal. Is there any way to do this programmatically via PowerShell? If not, are there any plans to add this support in the future?
2
votes
2 Answers
0
votes
It seems that you want to grant the admin consent for the Azure ad app.
It is easy to give the admin consent for the app, we just need to add the additional parameter prompt parameter with the value admin_consent. For example below is a request go give the admin consent:
https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&resource=https%3A%2F%2Fservice.contoso.com%2F
&state=12345
&prompt=admin_consent
You can just visit this URL to give the admin consent for the app(6731de76-14a6-49ae-97bc-6eba6914391e). And if you want to implement it through PowerShell, we just need to navigate this URL through PowerShell. For example, we can use Start-Process command-let like below:
Start-Process -FilePath "https://login.microsoftonline.com/{tenant}/oauth2/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&resource=https%3A%2F%2Fservice.contoso.com%2F&state=12345&prompt=admin_consent"
More detail about the parameters in the OAuth protocol, you can refer the link below:
Authorize access to web applications using OAuth 2.0 and Azure Active Directory
And it is different to grant the admin consent for the Azure AD V2.0 endpoint, you can refer the link below about grant the admin consent for the Azure AD V2.0 endpoint.
New-AzureADServiceAppRoleAssignment, not sure if there is a cmdlet for the first. Anyway, this is what the button does. – juunas