Azure AD - App Registration - Tenant Consent

Question

I have a question regarding a multi-tenant App Registration in Azure AD. The first time a user logs in through the app it will ask him to grant his consent to access some of his data if necessary or ask an administrator to grant a tenant level consent. This is just fine.
I was wondering if let's say a change is made to the App Registration (Logout URL modified for example), is it possible that the users that never used the app registration already will need to grant their consent or that a tenant administrator might need to give his consent again?
Regards

Philippe Signoret Philippe Signoret · Accepted Answer · 2021-03-05T16:36:28

Changing your redirect URLs or logout URL will not cause the consent to be prompted for again.

Changing the configured permissions also won't cause users who have already granted consent to have to grant consent again (but the app will only have the permissions it had been originally granted).

Users will only be prompted for consent in the following situations:

If your application dynamically requests a permissions which has not been granted (e.g. scope=https://graph.microsoft.com/Mail.Read, if Mail.Read has not been granted.
If your application requests access to ".default" for a resource, and no permissions have been granted for that resource. For example, if you application requests scope=https://graph.microsoft.com/.default and no delegated permissions for Microsoft Graph have been granted, the user will be prompted for consent (for all permissions configured in the app registration). If any permission for the requested resource have been granted, the user will not be prompted for consent.
If your application forces user consent using prompt=consent. Don't do this—there is almost no situation where this is necessary. (Read a lot more on this at https://stackoverflow.com/a/60151790/325697.)

Azure AD - App Registration - Tenant Consent

2 Answers