Is there any way to know if a user gave consent on behalf of an organization
Organization administrators have an option to "Consent on behalf of your organization".
This feature enables them to give consent for all users within the organization. As a result, users of the organization can sign up without needing to provide individual consent. In Microsoft documentation, this is referred to as admin consent.
Is it possible to check if organization-wide consent was given using any of the following sources:
You can list oAuth2PermissionGrant entities, which represent delegated permissions granted to enable a client application to access an API on behalf of the user.
oAuth2PermissionGrant has the property consentType which indicates if authorization is granted for the client application to impersonate all users (tenant-wide) or only a specific user.
Possible values of the consentType property are:
AllPrincipals- tenant-wide consentPrincipal- consent for a specific user
You can filter permission grants by consentType
https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=consentType eq 'AllPrincipals'
The response looks like this
{
"value": [
{
"clientId": "f5913df3-bd00-4259-aa45-a17a008b033c",
"consentType": "AllPrincipals",
"id": "xxx",
"principalId": null,
"resourceId": "0741d31a-647d-4821-b3d6-99aeea5e0123",
"scope": "User.Read User.ReadBasic.All"
},
{
"clientId": "f5913df3-bd00-4259-aa45-a17a008b033c",
"consentType": "AllPrincipals",
"id": "xxx",
"principalId": null,
"resourceId": "3c4020a9-f9ce-4790-ba8f-4f85b0ff62d5",
"scope": "Files.Read.All"
},
...
]
}
It can return more records for a specific clientId if some sets of permissions have been granted during time.
To find details about the client app, use clientId in the request
https://graph.microsoft.com/v1.0/servicePrincipals/{clientId}
- Error 400: invalid_scope with Postman and Google OAuth2
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API