3

The documentation for the Azure AD on-behalf-of flow indicates that combined consent does not work for personal Microsoft accounts. It says that "other strategies present themselves."

  1. It only actually provides one other strategy (using a combined AAD application for both the web app and the middle tier service). Are there actually other strategies to solve this or is there just this one?
  2. No drawbacks to the single application approach are listed. Are there any drawbacks? I assume there must be some otherwise using a single application would the default approach and not a workaround for this specific problem.

Thanks!

Auth Infant
  • 1,760
  • 1
  • 16
  • 34
  • I guess another approach could be to have an on boarding flow in your app where the user is asked to consent the middle tier first, and the Web app second. – juunas Nov 22 '19 at 06:30
  • I think the article talks about consent for a personal account. Not about combining web app and web API with one azure ad app. – Vikrant Singh Nov 27 '19 at 13:43
  • I'm pretty sure it calls out "In this scenario, you may find it easier to make this a single application, negating the need for a middle-tier application altogether." under the section about the section on consent for Azure AD+Microsoft account applications in reference to the "nor is there the ability to do combined consent" restriction. – Auth Infant Nov 27 '19 at 15:35

0 Answers0