Table of Contents
What has changed?
Microsoft have removed ability for getting user consent for unverified applications. This is an great addition towards security but it will make your life harder as a admin and as a software publisher.
Different options
Let’s go thru with the options that have for getting users access to applications in a multi-tenant environment.
Publisher verification
When Microsoft revoked the possibility for the User to grant consent to their own info they introduced a Publisher verification method.
Why you ask? Well because all the non-gallery apps are un-verified and therefore not trusted by the tenant that will connect to your published application.
You can connect to this menu from branding portal inside app registration.
The only bad thing here is that Your MPN ID suffix has to be the same than the suffix registed to the MPN ID inside Microsoft Partner portal.
User consent
Enabling User based consent is still available but it’s the most unsecure solution of the whole bunch.
You can access User consent options in:
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/UserSettings
In here You can also see an option for the Allow consent for apps from verified publishers (which needs the first MPN solution to be enabled)
Admin approval flow
You can also add an Admin approval flow to register application. All the application consent request will be sent to Admins that are defined as approvers.
You can access this menu from:
You can define a time period for the consent with a maximum of 60 days.
End-users need to provide Justification to send a request to Admins.
Admin gets the request.
And accepts the request.
But the screen is different, there isn’t anymore a box to tick for whole organization.
And the application will be provisioned to Enterprise applications.
Admin consent behalf of the whole organization
If admin user logins to the application and gives their consent for the whole organization, the application will be registered to Enterprise Applications in the source tenant.
And the application will be provisioned inside Enterprise Applications.
Construct the URL for granting tenant-wide admin consent
The following will ask Admin consent and register External Multi-tenant app as Enterprise application to Your own tenant.
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
where:
{client-id} is the application’s client ID in the external Azure AD (also known as application ID).
{tenant-id} is your own organization’s tenant ID