Reputation: 362
Azure AD Enterprise Applications User consent to company data
For Azure AD “Enterprise Applications”, is it possible to set “User can consent to apps accessing company data on their behalf” just for an app or does this have to be done for all apps in the tenant?
I am not the admin for my tenant but am registered user in my tenant.
The application is an existing application and has been registered in the developer’s tenant as a multi-tenant application. I am trying to get it to work in my tenant.
This application requires the following scopes:
files.readwritefiles.readwrite.alloffline_access
I got the admin for my tenant to create a “service principal” in my tenant for this app by:
https://login.microsoftonline.com/common/adminconsent?client_id22c49a0d-d21c-4792-aed1-8f163c982546&redirect_uri=http://localhost- Sign in on as admin for my tenant
How can I set “User can consent to apps accessing company data on their behalf” just for an app in Azure AD Admin Center?
Also is there a website that shows all the screens in "Azure AD Admin Center"?
Upvotes: 1
Views: 1497
Answers (1)
Reputation: 30903
First of all, developers should take a note on the Microsoft Graph Permissions and understand the difference between delegated and application permissions. Because there is a substantial difference. The developers of multi-tenant application should also understand how to generate admin consent url for requesting admin consent for their applications.
Secondly, if an Azure AD global administrator has configured the User can consent to apps accessing company data on their behalf option to false, then only Global Administrator can consent this application. This option is tenant wide and cannot be controlled on per-app basis. The only way through this is to talk to the tenant administrator, explain him what this application is doing and why you need it. Only the tenant administrator can grant the consent for this application to be used.
As for the screens of Azure AD Admin Center - there is no such website.
UPDATE
The option Users can consent to application accessing company information on their behalf is located under:
- https://aad.portal.azure.com
- Enterprise Applications
- Settings
And while this will work, it also work for any application in the future. Having this enabled had some purpose. It probably makes more sense to review the initial purpose, and if still valid to not change this value. If you wish to retain the value of the setting as is, you can talk to the developer of the application to give you an admin consent URL. Then you only need to give that URL to your global administrator and he has to open it, sign it and consent. Thus all your users will be able to use the application, while still keeping Users can consent to applications accessing company data on their behalf to false.
Upvotes: 1
Related Questions
- Azure enterprise admin consent to dynamic app scopes
- Admin Consent for users
- In Azure B2C, I want to allow employees to register and have full company access across my application
- Azure AD - App Registration - Tenant Consent
- How to consent to an Azure Active Directory Enterprise App for Multi-Tenant Login without Publisher Approval during development?
- Azure AD - Users can consent to applications accessing company data on their behalf option to false
- Azure Developer User consent to app accessing company data
- Azure Ad Application Permission
- Azure Active Directory - supporting multi-tenant consented app scenario
- Administrator Consent in Active Directory