Is Azure Active Directory Consent Cached?

2
votes

We're building a native application that makes use of Azure AD. The application requires some permissions (like read user profile, execute Azure Service Management API etc.).

When a user uses our application the very first time, they are asked to sign in and once they sign in, they are presented with the consent screen (they grant consent to our application). Once the user grants the consent, they can see our app in their Azure AD (under "Applications" tab). So far so good.

Now what this user does is removes our application manually from their Azure AD (again by going under "Applications" tab). Based on our understanding of the consent model, what this means is that the user has removed the consent to our application.

Now when this user signs in into our application, what we are expecting is that the user is presented with a consent screen again (like the 1st time). However the actual behavior is that the user is not presented with such screen and user is simply signed in into our application. Furthermore, when the user goes back into their Azure AD, they don't see our application in the list of consented apps.

So my questions are:

  1. Does Azure AD somehow cache the consent?
  2. If the consent is cached, for how long is this consent cached?
  3. If the consent is cached, is there a way to for us to clear this consent programmatically or otherwise?

Any insights into why is this happening would be highly appreciated.

1
azureazure-active-directoryadal
The consent is granted with a set of oauth2PermissionGrant objects in the graph, which connect an oauth2Permission (defined on the application) to a service principal in the customer directory, along with of course the user id for whom the consent was done for (or All if admin consent was done). You could check for the existence of these grants with graph explorer, and see what happens to them after a user deletes the app.juunas
Great suggestion regarding checking the consent with graph explorer. Thanks! Will do the same and update the question accordingly.Gaurav Mantri

1 Answers

2
votes

In Azure Active Directory, user consent is registered as a link between a User Object and a Service Principal Object representing the client application.

This link is represented in the AAD Graph API as an OAuth2PermissionGrant

You said this:

Now what this user does is removes our application manually from their Azure AD (again by going under "Applications" tab). Based on our understanding of the consent model, what this means is that the user has removed the consent to our application.

I want to clarify. As you might know, when you create a new AAD Application, you need to keep in mind the difference between an Application Object and a Service Principal.

Very specifically, if you delete the Service Principal representing the client application, all of the consent links connected to that Service Principal will be destroyed, thus effectively removing consent. The same cannot be said if you only remove the Application Object, which is likely where you are running into issues.

I explain here the easiest steps required to revoke consent for an Azure Active Directory Application. Let me know if this helps.