Azure AD and Office 365 APIs – User Consent vs. Admin Consent

Posted on 1/29/2015 @ 10:11 PM in #SharePoint by | Feedback | 2511 views

Applications targeting Office 365 APIs, or for that matter Azure AD participate in consent flow. There are two kinds of consent,

  • User consent: Normal users say “okay”. This means, any user can install the application and allow the app to get access to the user’s resources. Think of this as “connect this app to my O365/AzureAD resources”
  • Admin consent: Administrator type users say “okay”. This means, users in the “Global admin” group can give an “ok” to the app. And the “ok” is granted on behalf of all users in the Azure AD. End users therefore do not have to grant access, the access is granted on their behalf by the admin. Think of this as “let my organization use this app”.

Some apps may choose to implement both!

Now you may think, as an admin, I don’t want people using any random apps downloaded form app stores, and start granting them access to restricted Office 365 resources. And yes you would be right. By default however, that is exactly what you get – users can download an app, and grant access. A regulatory/policing nightmare you say? Yeah!
So – Azure AD premium allows you to run reports to see what apps are installed and in use. But that’s a report on the damage already done :-). How do you prevent damage from occurring in the first place?

Thankfully, a solution exists. You can turn off “user consent” in a tenancy, and this is do-able, only via powershell (at least as of now).

Here is how, use the Azure AD powershell and run the following,

   1:  $msolcred = get-credential
   2:  connect-msolservice -credential $msolcred
   3:  Set-MsolCompanySettings -UsersPermissionToUserConsentToAppEnabled:$false
   4:  Get-MsolCompanyInformation | fl DisplayName,UsersPermissionToUserConsentToAppEnabled

So there you go, your policing fetish has a solution. But unfortunately this restriction has a serious downside. This means no more native apps can be installed, by users or by admins. Existing apps continue to work until they are revoked or uninstalled because those refresh tokens in the wild are still valid.

My feeling is, this ‘on or off’ approach is less than ideal. Ideally the admin should have an easy UI to allow or disallow apps. But we all know this platform is maturing as we speak!

Sound off but keep it civil:

Older comments..