Azure Multi Tenant App Registration: What happens when I add an “Admin Consent” required permission

1
votes

We've created a Multi Tenant Azure Application Which is registered by several other tenants, with a set of permissions to which an admin already gave consent.

Now we want to add some more permissions which require "Admin consent"

My question is what will happen?

I would expect, the application will keep running as before. But the new features (which require the new permissions) are not available until an admin from a different tenant renews the consent.

Worst case scenario is the application will not be available to other tenant's users, until an admin renews his/hers consent.

Add consent to these items

1
azureoauthazure-active-directorymulti-tenant

1 Answers

0
votes

I actually wrote a blog article related to this: AADSTS90094: The grant requires admin permission, how to fix it and why it happens.

So the answer, as usual, is that it depends.

If:

  • A user is logging in
  • And some consent has already been given
  • And explicit consent is not requested (e.g. with prompt=consent or prompt=admin_consent)

Then the user will sign in successfully and the scopes in the tokens will be based on the previously consented scopes.

So it should continue to work as it did before.

Since an admin has already done consent for the whole org some consent is already granted for every user.

Though if you require consent, then they will be unable to log in...

But testing this scenario should not be overly difficult for you, and I do recommend it. You can do the following:

  • If you don't have a testing version of your app in AAD, create it
  • Create a new AAD tenant/use another existing one
  • Go through onboarding with the test app
  • Change the permissions
  • Test login with a regular user