How does admin consent work for azure apps?

0
votes

I am working on a simple application that shows information about the joined teams of the user. The application uses the interactive flow for authentication.

Getting the list of joined teams with GET /me/joinedTeams was easy since it only requires user consent. However, anything more than that (for example getting the list of team members for a team joined by the user or even something trivial like getting the icon of a team!) needs app permissions that require admin consent.

I have never been on the admin side of an azure tenant, so I would like to understand what admin consent exactly means:

Can the admin limit their consent to my app AND my user account? I.e. can azure be configured such that only me (as the developer) can use my application with the granted permission? Is that what "user assignment" means in the azure documentation?

And related to that (I don't think that deserves a separate posting on SO): Let's assume my app gets the TeamMember.ReadWrite.All permission with admin consent. I hope that still means that the usual user restrictions are in place. For example, a normal user will still not be able to add members to a team they do not own, right?

Thanks in advance for your help

1
azuremicrosoft-graph-api

1 Answers

1
votes

You need to understand the difference between user consent and admin consent:

Each application registers permissions it requires. Some permissions can be granted by users, some other only by the administrator.

Let's suppose you have only permissions that can be consented by users. The first time they use the application, they'll be prompted (each user) to consent those permissions to the application. If in the same scenario you click on grant admin consent, it is the equivalent of accepting it for all users on the tenant.

Can the admin limit their consent to my app AND my user account? I.e. can azure be configured such that only me (as the developer) can use my application with the granted permission? Is that what "user assignment" means in the azure documentation?

Yes, this is the "user assignment" mentioned in the document. As I said in the answer, admin consent is at the tenant level. If you grant admin consent to the application, it is the equivalent of accepting it for all users on the tenant. If you need to restrict the application to a certain set of users, then you can set to:restrict the Azure AD application to a set of users in the Azure AD tenant.

Let's assume my app gets the TeamMember.ReadWrite.All permission with admin consent. I hope that still means that the usual user restrictions are in place. For example, a normal user will still not be able to add members to a team they do not own, right?

Yes, if you only assign an application to specific users, other users will not be able to use the application to add members.