Azure AD application preconsent not working

Question

(Related to this question)

I have an application that should be automatically usable for all customer tenants, and therefore tried this tutorial to enable preconsent.

After doing the Powershell commands and getting again the application, I can see that it is enabled:

PS C:\Windows\system32> $graphResponse.value.recordConsentConditions
SilentConsentForPartnerManagedApp

However, when creating a new tenant(or using an existing one) and trying to access Microsoft Graph's /users call, I get a 500 error until I navigate to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&prompt=admin_consent (with {0} being the cliendId of the app), sign in as an admin and accept the delegation.

Am I missing a step here?

Answer 1

After a contact with Microsoft support, this is a bug on their side. They told me yesterday that the engineer team acknowledged it. It will be fixed.

Answer 2

In order to query the MS Graph, your app will need to be granted the appropriate permissions by an end user or by an administrator of the tenant. Usually the best way to acquire consent from an administrator is by using the prompt=admin_consent parameter, as you've done above.

If for some reason you must do so via powershell, you can create an oAuth2PermissionGrant object using a consentType of AllPrincipals.

Personally I wouldn't recommend using the recordConsentConditions property. It's only there for legacy reasons - I don't even know what it does.