DEVHIDE
Login Or Sign up

Is there any way to know if a user gave consent on behalf of an organization

194 Views Asked by At

Organization administrators have an option to "Consent on behalf of your organization".

This feature enables them to give consent for all users within the organization. As a result, users of the organization can sign up without needing to provide individual consent. In Microsoft documentation, this is referred to as admin consent.

Is it possible to check if organization-wide consent was given using any of the following sources:

  1. OAuth response or JWT Token
  2. Microsoft Graph API
oauth-2.0 microsoft-graph-api microsoft-oauth
Original Q&A
1

There are 1 best solutions below

0
On BEST ANSWER

You can list oAuth2PermissionGrant entities, which represent delegated permissions granted to enable a client application to access an API on behalf of the user.

oAuth2PermissionGrant has the property consentType which indicates if authorization is granted for the client application to impersonate all users (tenant-wide) or only a specific user.

Possible values of the consentType property are:

  • AllPrincipals - tenant-wide consent
  • Principal - consent for a specific user

You can filter permission grants by consentType

https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=consentType eq 'AllPrincipals'

The response looks like this

{
    "value": [
        {
            "clientId": "f5913df3-bd00-4259-aa45-a17a008b033c",
            "consentType": "AllPrincipals",
            "id": "xxx",
            "principalId": null,
            "resourceId": "0741d31a-647d-4821-b3d6-99aeea5e0123",
            "scope": "User.Read User.ReadBasic.All"
        },
        {
            "clientId": "f5913df3-bd00-4259-aa45-a17a008b033c",
            "consentType": "AllPrincipals",
            "id": "xxx",
            "principalId": null,
            "resourceId": "3c4020a9-f9ce-4790-ba8f-4f85b0ff62d5",
            "scope": "Files.Read.All"
        },
        ...
    ]
}

It can return more records for a specific clientId if some sets of permissions have been granted during time.

To find details about the client app, use clientId in the request

https://graph.microsoft.com/v1.0/servicePrincipals/{clientId}

Related Questions in OAUTH-2.0

Related Questions in MICROSOFT-GRAPH-API

Related Questions in MICROSOFT-OAUTH

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.