How can I test if admin consent has already been given

后端 未结 2 1411
陌清茗
陌清茗 2021-01-16 10:35

We are developing an Office Add-in that authenticates with an organisational account to Azure AD. The Add-in needs administrative consent. So if an administrator is logged o

相关标签:
2条回答
  • 2021-01-16 11:07

    tl;dr

    Yes, you can do this. You'll want to call this MS Graph endpoint, and inspect the oAuth2PermissionGrant object for the consentType field being set to AllPrincipals.

    Some Background

    Using the Microsoft Graph, you can identify if admin consent was granted. When Admin Consent is granted, there are OAuth2.0 permission grants written on the app.

    Inside each permission grant, there's a field that indicates the permission level of the grant. For Admin Consent, you would be looking for AllPrincipals.

    Detailed Steps

    1. Wire up your app to call the Microsoft Graph. Make sure it's requesting all the required permissions to call the required endpoint. This is different in the case of a delegated (on behalf of the end user) or an app role.

    App Role: Directory.Read.All & Directory.ReadWrite.All

    Delegated Permission: Diretory.Read.All, Directory.ReadWrite.All, or Directory.AccessAsUser.All in order of least to most privileged.

    1. Call the GET /oAuth2PermissionGrant endpoint of MS Graph.

    This returns back an oAuth2PermissionGrant object with the details you're looking for.

    1. Inspect the response for the consentType field. You may need to enumerate all the grants looking for the value AllPrincipals.
    0 讨论(0)
  • 2021-01-16 11:24

    IMHO, the custom implementation would be a better choice for your usecase

    The steps could be the following

    1. User Logs in for the 1st time
    2. Your App / Add-in checks the consent in the internal memory / db
    3. No Consent will be found, which will redirect the user to the consent page in Azure AD
    4. After the user approves of his admin access, we typically get the status in the response back from Azure AD like the one below,

      GET http://localhost/myapp/permissions?tenant=a8990e1f-ff32-408a-9f8e-78d3b9139b95&state=state=12345&admin_consent=True

    5. The App now stores the admin consent grant status in the DB.

    6. In case in later point of time, the app / add-in needs more permissions, just flush out the stored value for the consent and the users so that the next login takes care to ensure that they agree to the new consent. The new consent request will be sending additional scopes to the AD which will in turn be shown to the user in the consent page.

    In case of reading more about the steps, please click here

    0 讨论(0)
提交回复
热议问题