How is the “Grant permissions” button in legacy Azure AD app registration different from “Grant admin consent” in the new experience?

2
votes

The "Grant admin consent" button in the current Azure AD app registration experience (under Azure portal > Azure AD > App registrations > (app) > API permissions) is sometimes greyed out. In the legacy experience, I could always click the button.

What's the difference between the two?

1
azure-active-directorymicrosoft-identity-platform

1 Answers

4
votes

The "Grant permission" button in the legacy app registration experience behaves differently depending on what you're allowed to do:

  • If you're allowed to do tenant-wide admin consent, the button grants the permissions for all accounts:

    Grant permissions will grant tenant-wide admin consent if user is admin

  • If you're not allowed to do tenant-wide admin consent, the button attempts to grant the permissions for your account only:

    Grant permissions will attempt to grant user consent if use is not admin

  • If you're not allowed to consent even for yourself, it fail to grant any permissions:

    enter image description here

In the new (current) app registration experience, the "Grant admin consent" button only proposes tenant-wide admin consent:

  • If you're allowed to do tenant-wide admin consent, the button is enabled and will result in the permissions being granted for everyone:

    Grant admin consent is enabled if user is allowed to do so

    Grant admin consent grants permissions for everyone

  • If you're not an admin, the button is simply disabled:

    Grant admin consent is disabled if user is not allowed to do so

The new app registration experience does not currently offer the option for granting consent on behalf of the signed-in user only, like the legacy experience did. If you want to grant consent for yourself, the best way to do so is to actually sign in to the app, and grant consent then.