Karlheinz Reinhardt
Reputation: 1075
Graph Admin Consent - Why/When to specify tenant
While reading the documentation about getting access without a user i noticed that in Step 3, in order to get the token, you need to send a get request to the following endpoint:
GET https://login.microsoftonline.com/{tenant}/adminconsent
or if the tenant is unkown to
GET https://login.microsoftonline.com/common/adminconsent
The results (redirects, confirmation of app rights, ...) are still the same.
My Question is:
- Why not use always
/common/adminconsentinstead of/{tenant}/adminconsent? - And in what scenarios would it be recommended or needed to use
/{tenant}/adminconsent?
Upvotes: 1
Views: 51
Answers (1)
Marc LaFleur
Reputation: 33114
You can specify a tenant in order to restrict who can authenticate. If you provide a tenant id, only an Admin from that tenant would be able to consent to your application. Using common allows any Admin, from any tenant, to consent to your application.
In practice, you rarely need to specify a tenant.
Upvotes: 2
Related Questions
- How does admin consent work for azure apps?
- Admin consent required with only delegated permissions
- Is Admin consent always required in an Azure AD Multi tenant environment?
- Microsoft Graph partial tenant consent
- Request Denied After Getting Admin Consent on Tenant
- Why some Microsoft Graph scopes request admin consent on some tenant and only user-delegated permission on other?
- Microsoft Active Directory: Asking Tenant's Admin for Specific Permissions
- Which admin/admin role is required when getting admin consent for your app?
- Admin consent to give application registered in Tenant A access to Graph in Tenant B
- Microsoft Graph API Permissions for non-admins?