We have a client application, which calls Web API, which in turn calls Microsoft Graph. I've read the documentation about granting admin consent in the Azure portal, but I still fear pressing that button because I don't understand some concepts:
- Do Grant Admin Consent on a page of app A allows application A to access all of its required scopes, or allow OTHER applications to access application A scopes, defined in "Expose API"?
- Do I need to grant admin consent to both client app and web API? Or I must grant it only for web API, and make the client app pre-authorized?
- Do "Grant Admin Consent" allows an application to call Microsoft Graph on its own, bypassing on-behalf-of flow? For example, can web API call Microsoft Graph without the need to have a user access token?
- If we add a new user to our AD, will I need to press "Grant Admin Consent" again?
- Are there any differences between "Grant admin consent" on "App Registration" and "Enterprise applications" pages?
