Reputation: 308
Azure AD - App Registration - Tenant Consent
I have a question regarding a multi-tenant App Registration in Azure AD. The first time a user logs in through the app it will ask him to grant his consent to access some of his data if necessary or ask an administrator to grant a tenant level consent. This is just fine.
But what if a change is made to the App Registration (Logout URL modified for example)? Is it possible that the users that never used the app registration already will need to grant their consent or that a tenant administrator might need to give his consent again?
Upvotes: 1
Views: 663
Answers (2)
Reputation: 14356
Changing your redirect URLs or logout URL will not cause the consent to be prompted for again.
Changing the configured permissions also won't cause users who have already granted consent to have to grant consent again (but the app will only have the permissions it had been originally granted).
Users will only be prompted for consent in the following situations:
- If your application dynamically requests a permissions which has not been granted (e.g.
scope=https://graph.microsoft.com/Mail.Read, if Mail.Read has not been granted. - If your application requests access to ".default" for a resource, and no permissions have been granted for that resource. For example, if you application requests
scope=https://graph.microsoft.com/.defaultand no delegated permissions for Microsoft Graph have been granted, the user will be prompted for consent (for all permissions configured in the app registration). If any permission for the requested resource have been granted, the user will not be prompted for consent. - If your application forces user consent using
prompt=consent. Don't do this—there is almost no situation where this is necessary. (Read a lot more on this at https://stackoverflow.com/a/60151790/325697.)
Upvotes: 2
Reputation: 16458
Yes. If you modify properties such as redirect url, permissions, logout url and so on, you have to make admins from other tenant do the admin consent again to make it effective.
Using admin consent url is the quickest way:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
Upvotes: 1
Related Questions
- Azure AD Automatic User Provisioning With App registration
- Azure App Registration and Service Principal
- How to consent to an Azure Active Directory Enterprise App for Multi-Tenant Login without Publisher Approval during development?
- Azure AD App Registration for Multi tenant and Personal accounts using powershell
- Let the user create Azure Active Directory App registrations for our app?
- Proper way to register Azure AD multi-tenant app in Azure AD B2C
- App Registrations in Azure AD
- How do I register an app in client's active directory using my multi tenant app in microsoft azure?
- Azure Active Directory - supporting multi-tenant consented app scenario
- How to consent an app and its dependent services in AAD