Azure AD adminconsent? multi tenant application management
I have multiple queries relating to application design. based on what i read from
I need Application permissions to manage my client's o365. such as 'Exchange.ManageAsApp' and other permissions on client's request.
but other than that I would also need to assign the service principal created in client's tenant to a Exchange Administrator role or even Help Desk administrator role. for that I would need temporary elevated privileges. this makes the consent screen stack up with many permissions.
what would be the best way to approach such scenario?
after consent, I can confirm if user has accepted permissions at redirect uri endpoint, how do i handle if in future, enough permissions to perform admin level tasks are still available or user just deleted the service principal, or revoked the SP permissions?
is it a good idea to separate tenant on-boarding to one AD application and create a separate AD application for each service (Exchange level, later user management, and other service in future) I provide? and generate admin consent for each service client opted.
I am unable to request Application SCOPES other than Graph API dynamically. I had to go with ".default" scope that requests all static permissions at once which floods the consent screen.
I tried to reproduce the same in my environment and got the results successfully as below:
I created an Azure AD Application and added API permissions for sample:
I used below authorize endpoint to authorize the users to the Application as below:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientId
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
When I used scope=https://graph.microsoft.com/.default all the API permissions reflected in the consent screen:
To avoid consenting all the API permissions you can specify the specific permissions as below:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientId
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=openid email
&state=12345
Need to assign the service principal created in client's tenant to Exchange Administrator role or even Help Desk administrator role for that I would need temporary elevated privileges.
As a workaround, you can specify the role assignment time period while assigning the role to the Service Principal as below:
I assigned the Exchange Administrator role specifying the Time period as below:
Is it a good idea to separate tenant on-boarding to one AD application and create a separate AD application for each service.
Yes, creating separate the Azure AD applications for each service simplifies the consent process and it reduces the permissions requested and you can request admin consent separately for each service.
Reference:
Overview of permissions and consent in the Microsoft identity platform - Microsoft Entra
- What is a difference between elastic computing and serverless computing?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?
- Update VCore by database in power shell
- While scanning a simple key, could not find expected ':'. Syntax error in azure-pipeline.yaml
- I'm not able to call the Azure document intelligence api using the latest api version "2024-02-29-preview"
- AzureWebJobsStorage Managed Identity not working
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- How can I Get Started Using Certificates to Authenticate my APIs Using Azure Key Vault?
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?
- Summarization of docx or pdf document
- Unable to use Azure Developer CLI (azd) in vsCode even after extensions installed
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages