Reputation: 51
Azure Active Directory Client Credential Flow
I'm using azure Active Directory, Client Credential Flow in my organization's Web API access control.
I have the below applications registered in the AD: backend-app client1 client2
Now, even if I do not give delegated access in Client1 to backend-api, client 1 is able to acquire a token for the resource "backend-app". Is there anyway I can avoid this from happening? I do not want clients that I've not explicitly given delegated access to be able to acquire the token.
This flow works fine in Native apps, where AAD throws an error indicating the client1 doesn't have required permissions for backend-app.
Upvotes: 1
Views: 131
Answers (1)
Reputation: 15571
Under Enterprise applications - Application Name - Properties, there's a setting User assignment required? Setting this will only allow explicitly assigned users to access an application.
Taken from the infobox on the Azure Portal:
If this option is set to yes, then users must first be assigned to this application before being able to access it.
More info on Assign users and groups to an application in Azure Active Directory
Upvotes: 2
Related Questions
- Invalid Token in .NET 6 with Azure AD using Client Credentials
- How to implement On behalf of flow in Azure Ad?
- Specifying Client secrets in JwtBearerOptions for Azure Active Directory authentication
- Azure AD Authentication in ASP.NET Core 2.2
- Azure Active Directory JWT aud value
- Azure JWT Token Key Rotation
- JWT Token based Authentication in Azure AD
- Windows Azure Active Directory Bearer Authentication
- Issue with jwt-bearer authorization grant in Azure AD
- Controlling expiry of auth token using Azure Active Directory client credential flow