Multi-tenant App registration and user (Admin) consent

Posted by Harri Jaakkonen Posted on 31/01/2022 0 Comments on Multi-tenant App registration and user (Admin) consent
Posted in Access Reviews, Azure, Azure B2B, Azure B2C, Identity, Security
Why do I have to prove I'm not a Robot!!! — WebDuo

What has changed?

Microsoft have removed ability for getting user consent for unverified applications. This is an great addition towards security but it will make your life harder as a admin and as a software publisher.

Different options

Let’s go thru with the options that have for getting users access to applications in a multi-tenant environment.

Publisher verification

When Microsoft revoked the possibility for the User to grant consent to their own info they introduced a Publisher verification method.

Why you ask? Well because all the non-gallery apps are un-verified and therefore not trusted by the tenant that will connect to your published application.

You can connect to this menu from branding portal inside app registration.

The only bad thing here is that Your MPN ID suffix has to be the same than the suffix registed to the MPN ID inside Microsoft Partner portal.

User consent

Enabling User based consent is still available but it’s the most unsecure solution of the whole bunch.

You can access User consent options in:

https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/UserSettings

In here You can also see an option for the Allow consent for apps from verified publishers (which needs the first MPN solution to be enabled)

Admin approval flow

You can also add an Admin approval flow to register application. All the application consent request will be sent to Admins that are defined as approvers.

You can access this menu from:

https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/UserSettings

You can define a time period for the consent with a maximum of 60 days.

End-users need to provide Justification to send a request to Admins.

Admin gets the request.

And accepts the request.

But the screen is different, there isn’t anymore a box to tick for whole organization.

And the application will be provisioned to Enterprise applications.

Admin consent behalf of the whole organization

If admin user logins to the application and gives their consent for the whole organization, the application will be registered to Enterprise Applications in the source tenant.

And the application will be provisioned inside Enterprise Applications.

Construct the URL for granting tenant-wide admin consent

The following will ask Admin consent and register External Multi-tenant app as Enterprise application to Your own tenant.

https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}

where:

{client-id} is the application’s client ID in the external Azure AD (also known as application ID).

{tenant-id} is your own organization’s tenant ID

Tip of the Week: Consent Matters | Office of Wellness and Mental Health
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *