0

I have multiple queries relating to application design. based on what i read from

https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview#comparison-of-delegated-and-application-permissions

I need Application permissions to manage my client's o365. such as 'Exchange.ManageAsApp' and other permissions on client's request.

but other than that I would also need to assign the service principal created in client's tenant to a Exchange Administrator role or even Help Desk administrator role. for that I would need temporary elevated privileges. this makes the consent screen stack up with many permissions.

  1. what would be the best way to approach such scenario?

  2. after consent, I can confirm if user has accepted permissions at redirect uri endpoint, how do i handle if in future, enough permissions to perform admin level tasks are still available or user just deleted the service principal, or revoked the SP permissions?

  3. is it a good idea to separate tenant on-boarding to one AD application and create a separate AD application for each service (Exchange level, later user management, and other service in future) I provide? and generate admin consent for each service client opted.

I am unable to request Application SCOPES other than Graph API dynamically. I had to go with ".default" scope that requests all static permissions at once which floods the consent screen.

P V Ajay Thota
  • 91
  • 1
  • 2
  • 7

1 Answers1

1

I tried to reproduce the same in my environment and got the results successfully as below:

I created an Azure AD Application and added API permissions for sample:

enter image description here

I used below authorize endpoint to authorize the users to the Application as below:

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientId
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default 
&state=12345

When I used scope=https://graph.microsoft.com/.default all the API permissions reflected in the consent screen:

enter image description here

To avoid consenting all the API permissions you can specify the specific permissions as below:

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientId
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=openid email 
&state=12345

enter image description here

Need to assign the service principal created in client's tenant to Exchange Administrator role or even Help Desk administrator role for that I would need temporary elevated privileges.

As a workaround, you can specify the role assignment time period while assigning the role to the Service Principal as below:

enter image description here

I assigned the Exchange Administrator role specifying the Time period as below:

enter image description here

Is it a good idea to separate tenant on-boarding to one AD application and create a separate AD application for each service.

Yes, creating separate the Azure AD applications for each service simplifies the consent process and it reduces the permissions requested and you can request admin consent separately for each service.

Reference:

Overview of permissions and consent in the Microsoft identity platform - Microsoft Entra

Rukmini
  • 6,015
  • 2
  • 4
  • 14
  • @Rukmini, Thank you for your answer, but does the 'role assignment' needs to be done at the client side? or can be done via graph client? if we have to do with graph client, I would need any elevated privileges. – P V Ajay Thota Mar 01 '23 at 16:19
  • 1
    Role assignments must need elevated privileges in any way. – Rukmini Mar 01 '23 at 16:29