Organization administrators have an option to "Consent on behalf of your organization".
This feature enables them to give consent for all users within the organization. As a result, users of the organization can sign up without needing to provide individual consent. In Microsoft documentation, this is referred to as admin consent.
Is it possible to check if organization-wide consent was given using any of the following sources:
You can list oAuth2PermissionGrant entities, which represent delegated permissions granted to enable a client application to access an API on behalf of the user.
oAuth2PermissionGrant
has the property consentType
which indicates if authorization is granted for the client application to impersonate all users (tenant-wide) or only a specific user.
Possible values of the consentType
property are:
AllPrincipals
- tenant-wide consentPrincipal
- consent for a specific userYou can filter permission grants by consentType
https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=consentType eq 'AllPrincipals'
The response looks like this
{
"value": [
{
"clientId": "f5913df3-bd00-4259-aa45-a17a008b033c",
"consentType": "AllPrincipals",
"id": "xxx",
"principalId": null,
"resourceId": "0741d31a-647d-4821-b3d6-99aeea5e0123",
"scope": "User.Read User.ReadBasic.All"
},
{
"clientId": "f5913df3-bd00-4259-aa45-a17a008b033c",
"consentType": "AllPrincipals",
"id": "xxx",
"principalId": null,
"resourceId": "3c4020a9-f9ce-4790-ba8f-4f85b0ff62d5",
"scope": "Files.Read.All"
},
...
]
}
It can return more records for a specific clientId
if some sets of permissions have been granted during time.
To find details about the client app, use clientId
in the request
https://graph.microsoft.com/v1.0/servicePrincipals/{clientId}