Reputation: 1693
Using Microsoft Graph API to find all Applications with Admin Consent Granted
As per the title I can't find anywhere that explicitly gives me the information and my best guess was to use
https://graph.microsoft.com/v1.0/applications
and look at the requiredResourceAccess but that doesn't appear to provide the information about actual consent.
Is the mere presence of entries in here proof that admin consent was required, I'm going to guess at no as I added permissions to an app and even before granting consent the entries appeared in requiredResourceAccess and the entries didn't change when I granted consent.
Upvotes: 1
Views: 1922
Answers (1)
Reputation: 14326
When consent is granted for an application, three things may happen:
- A service principal (servicePrincipal) representing the identity of the client application (the one being given access) is created, if it didn't already exist.
- For every API to which the client application is granted delegated permissions, a delegated permission grant (oauth2PermissionGrant) is created.
- For every app-only permission client application is granted, a app role assignment* (appRoleAssignment) is created.
(Depending on which permission the app requires, #2 or #3 might be unnecessary.)
So, "what applications have been granted admin consent?" can be equated to "what service principals exist which have been granted tenant-wide delegated permissions, or app-only permissions?"
- To list all service principals in the tenant:
GET https://graph.microsoft.com/v1.0/servicePrincipals - To get all tenant-wide delegated permissions granted to a given service principal:
GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants ?$filter=clientId eq {id} and consentType eq 'AllPrincipals' - To get all app roles (app-only permissions) granted to a service principal:
GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignments
To map the granted app role IDs or delegated permission scope values to the display names and descriptions, you can look up the granted app roles to the appRoles and oauth2PermissionScopes collections on the resource service principal (i.e. the service principal representing the API).
This can all be done with Azure AD PowerShell and wrapped into a function to dump out delegated and app-only permission grants. Here is an example: Get-AzureADPSPermissions.ps1
Upvotes: 3
Related Questions
- Query for specific Azure AD permission
- Using Microsoft.Graph to get current application permissions
- Azure AD Multi-tenant App - Find what tenant provided admin consent
- Microsoft Graph API - Get Enterprise Applications Azure AD
- Azure Ad/Microsoft Graph get all users with specific approle
- Microsoft Graph Api List ownedObjects - applications
- Unable to grant admin consent for app in Azure AD despite being Application Adminstrator
- Issues with retrieving list of all Azure AD applications using Graph API
- How can I find the Admin Consent URL for an Azure AD App that requires Microsoft Graph "Read directory data" permission?
- How can I find out if my app has admin consent?