What does “grant admin consent” button do in azure Azure Active Directory application?

2
votes

We have configured an azure active directory application so that the users to our website can log in via their Microsoft accounts. The problem is that if we do not grant admin access then the Sign in to the application fails with the error code AADSTS650056:

Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration.

enter image description here

We are skeptical to click on "Grant admin consent" fearing that it may expose any vulnerability. Is this the right way to proceed? If not what are the alternatives so that this kind of consent is bypassed?

1
azure-active-directoryazure-ad-graph-api
If I am right, your application is requesting the permissions to Azure AD Graph https://graph.windows.net, but you have added only permissions for Microsoft Graph https://graph.microsoft.com. Try to add Azure AD Graph permissions or change the permissions request to Microsoft Graph in your application and you should not get this error.Ivan Ignatiev
Yeah, try adding the same permission from "Windows Azure Active Directory" (azure ad graph API), it should be under "legacy APIs". It's a bit odd that it would still be required though :/juunas

1 Answers

3
votes

Each application registers permissions it requires. Some permissions can be granted by users, some other only by the administrator.

Let's suppose you have only permissions that can be consented by users. The first time they use the application, they'll be prompted (each user) to consent those permissions to the application. If in the same scenario you click on grant admin consent, it is the equivalent of accepting it for all users on the tenant.

Now let's suppose the application registers permissions that require admin consent, you have no choice but to click that button if you want the application to work and be able to request tokens.

These permissions that require admin consent are permissions that either allow access to more or sensitive data in the organization.