How to grant Azure AD application permissions between two apps without requiring admin consent?

1
votes

I have two single tenant Azure AD apps A and B. App A represents a service and app B a client. I'm trying to allow B to access A with an AAD JWT token obtained using the AAD OAuth2 client credentials flow. I've defined an appRole in the manifest for A and am adding that as an API permission for B via App registrations -> API Permissions -> Add a permission -> My APIs -> A -> Application permissions

This requires admin consent even though I am the owner for both apps.

Is there a way to grant this permission without requiring an admin intervention since I own the app exposing the app role? I understand the admin consent requirement when granting permissions to access the directory which may contain sensitive user data but here it is purely a permission between two apps which I am the owner of.

The app role in the manifest for app A is as follows:

{
    "allowedMemberTypes": [
        "User",
        "Application"
    ],
    "description": "...",
    "displayName": "MyPermission",
    "id": "00000000-aaaa-bbbb-cccc-ddddddddddddd",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "MyPermission"
}
1
azure-active-directory

1 Answers

2
votes

Unfortunately, this is not possible! You must grant admin consent when granting application permissions to the client application. Otherwise, it will prompt you "insufficient permissions" when you use the access token to access the api application.

You can see that when you grant your custom application permissions to the client application, Admin consent required is displayed as Yes, indicating that this is mandatory by AAD and you cannot bypass this step.

enter image description here

In addition, you can also view by parsing the token. Only if the admin consent the application permission, there will be roles claim in the token, otherwise it will not display the claim.

enter image description here