How can I test if admin consent has already been given

2
votes

We are developing an Office Add-in that authenticates with an organisational account to Azure AD. The Add-in needs administrative consent. So if an administrator is logged on, he should be guided to express his administrativ consent.

We are using OAuth to authenticate:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=<clientId>&redirect_uri=<redirectUri>

and we request admin consent by appending &prompt=admin_consent to that URL

Question 1. How can we test if that admin consent has already been successfully given, so we only need to ask the administrator to give consent if he didn't previously?

Question 2. How can we check if an updated version of the Add-in possibly now needs more permissions and inform users and administrator about that new requirements?

2
oauthazure-active-directorymulti-tenantmicrosoft-graph-api

2 Answers

4
votes

tl;dr

Yes, you can do this. You'll want to call this MS Graph endpoint, and inspect the oAuth2PermissionGrant object for the consentType field being set to AllPrincipals.

Some Background

Using the Microsoft Graph, you can identify if admin consent was granted. When Admin Consent is granted, there are OAuth2.0 permission grants written on the app.

Inside each permission grant, there's a field that indicates the permission level of the grant. For Admin Consent, you would be looking for AllPrincipals.

Detailed Steps

  1. Wire up your app to call the Microsoft Graph. Make sure it's requesting all the required permissions to call the required endpoint. This is different in the case of a delegated (on behalf of the end user) or an app role.

App Role: Directory.Read.All & Directory.ReadWrite.All

Delegated Permission: Diretory.Read.All, Directory.ReadWrite.All, or Directory.AccessAsUser.All in order of least to most privileged.

  1. Call the GET /oAuth2PermissionGrant endpoint of MS Graph.

This returns back an oAuth2PermissionGrant object with the details you're looking for.

  1. Inspect the response for the consentType field. You may need to enumerate all the grants looking for the value AllPrincipals.
1
votes

IMHO, the custom implementation would be a better choice for your usecase

The steps could be the following

  1. User Logs in for the 1st time

  2. Your App / Add-in checks the consent in the internal memory / db

  3. No Consent will be found, which will redirect the user to the consent page in Azure AD

  4. After the user approves of his admin access, we typically get the status in the response back from Azure AD like the one below,

    GET http://localhost/myapp/permissions?tenant=a8990e1f-ff32-408a-9f8e-78d3b9139b95&state=12345&admin_consent=True

  5. The App now stores the admin consent grant status in the DB.

  6. In case in later point of time, the app / add-in needs more permissions, just flush out the stored value for the consent and the users so that the next login takes care to ensure that they agree to the new consent. The new consent request will be sending additional scopes to the AD which will in turn be shown to the user in the consent page.

In case of reading more about the steps, please click here