Granting Azure Application consent on behalf of the user

Granting Azure Application consent on behalf of the user

There can be situations where you need to grant application consent on behalf of the user. Our use case occurred when we remove permission to grant application user consent from our users. The reason behind this was to minimize the risk of users granting permissions to the malicious applications.

When you remove such permission from the users, they will need to ask for admin consent every time, they will want to use the new Azure application. Monitoring of such requests was mentioned in Automatic Jira ticket creation for Azure application admin consent requests post.

To be able to quickly grant permission consents on behalf of our users I've created PowerShell function Add-AzureADAppUserConsent which is part of my AzureADStuff module.

This function depends on a couple of modules: AzureAD, Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Users, Microsoft.Graph.Identity.SignIns

How to use

Install-Module AzureADStuff -Scope CurrentUser

Import-Module AzureADStuff

Connect-AzureAD

# a) grant consent on behalf of the "john@contoso.onmicrosoft.com" user to application "Salesforce Inbox" (has ID 00b263e4-3497-4650-b082-3197cfdfdd7c) 
# based on one of the existing user consents
Add-AzureADAppUserConsent -clientAppId "00b263e4-3497-4650-b082-3197cfdfdd7c" -copyExistingConsent -userUpnOrId "john@contoso.onmicrosoft.com"

# b) grant specific consent on behalf of the "john@contoso.onmicrosoft.com" user to application "Salesforce Inbox" (00b263e4-3497-4650-b082-3197cfdfdd7c)
# over resource (ent. application) "Office 365 Exchange Online" (02ad85cd-02ce-4902-a319-1af611526021) and "Windows Azure Active Directory" (88690023-f9e1-4728-9028-cdcc6bf67d22).
$consent = @{
        # Windows Azure Active Directory permissions
        "88690023-f9e1-4728-9028-cdcc6bf67d22" = "User.Read"
        # Office 365 Exchange Online permissions
        "02ad85cd-02ce-4902-a319-1af611526021" = "User.Read", "Contacts.ReadWrite", "Calendars.ReadWrite", "Mail.Send", "Mail.ReadWrite", "EWS.AccessAsUser.All"
    }
Add-AzureADAppUserConsent -clientAppId "00b263e4-3497-4650-b082-3197cfdfdd7c" -consent $consent -userUpnOrId "john@contoso.onmicrosoft.com"

Did you find this article valuable?

Support Ondrej Sebela by becoming a sponsor. Any amount is appreciated!