Share via

How to disable consent on behalf of organization

Nikolai Orekhov 20 Reputation points
2024-11-25T16:29:33.7066667+00:00

My application needs to subscribe to a number of other user presences.

Therefore I request a permission Presence.Read.All

When admin accesses the authorize endpoint in the UI I see a checkbox Consent on behalf of your organization. So I have questions about it.

  1. If admin presses it does it mean that any user now can get this permission without admin consent? (basically consent was already given)
  2. If yes can I somehow (pre) disable this checkbox in the UI ? I don't want admin to check it cause I don't really need it. He only needs to give consent for himself. What if he accidentally presses it?

Basically I want to stop admin from doing a mistake here

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,384 questions
0 comments
Accepted answer
  1. Vinodh247 24,726 Reputation points MVP
    2024-11-25T17:00:03.1333333+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    To handle the scenario where you want to disable or restrict the "Consent on behalf of your organization" checkbox in the Azure AD authorization consent UI, here are some insights and potential solutions:

    Key Points about Consent Behavior:

    1. What happens if the admin checks "Consent on behalf of your organization"?
      • If the admin selects this option and consents, the permission (ex: Presence.Read.All) is granted tenant-wide. This means that other users in the organization will not need admin consent to use this permission when accessing your application.
      • Essentially, the consent is stored as an admin consent for the organization.
      What happens if the admin does not check "Consent on behalf of your organization"?
      • The consent is granted only for the admin user themselves, and other users in the organization will need to request admin consent individually if they try to use the application.

    How to Disable the Checkbox or Prevent Admin from Granting Tenant-Wide Consent?

    Unfortunately, Azure AD does not provide a direct mechanism to disable or remove the "Consent on behalf of your organization" checkbox in the UI. However, you can achieve the desired behavior through the following approaches:

    1. Use App-Only Permissions Instead of Delegated Permissions
    • If possible, use app-only permissions (application-level permissions) instead of delegated permissions. App-only permissions require admin consent but do not depend on individual user interactions. This eliminates the need for user or admin consent entirely for individual users.
    • Example: Instead of Presence.Read.All (delegated), use Presence.Read.All (application).
    1. Configure the App Registration for "User Consent Disabled"
    • Restrict the app registration in Azure AD to not allow user-level or admin-wide consent by modifying your app's Azure AD Enterprise Application settings:
      • Go to Azure AD > Enterprise Applications > Select your app.
        • Under Permissions, review the granted permissions and remove any "admin-consented" permissions.
          • Restrict user consent: 
            - Navigate to **User Settings** in Azure AD.

      - Disable "Users can consent to apps accessing company data on their behalf."
    1. Provide Instructions for Admins
    • You can customize the consent URL or provide instructions in your documentation to explicitly inform admins not to select "Consent on behalf of your organization" when prompted.
    • Example custom message: “Please do not check 'Consent on behalf of your organization' as it is not required for this application to function.”
    1. Modify Permission Requests
    • Request a less sensitive scope or granular permissions to minimize the impact of admin consent.
    • For example, if your app requires presence information only for the admin, request Presence.Read instead of Presence.Read.All.
    1. Use Conditional Access or Policies
    • As a last resort, implement a Conditional Access Policy in Azure AD to block tenant-wide consent for the app or restrict the app's usage to specific groups or admins.

    Summary Recommendations:

    1. Use app-only permissions if feasible.
    2. Adjust Azure AD settings to restrict tenant-wide consent.
    3. Provide clear guidance to admins about not selecting "Consent on behalf of your organization."
    4. Regularly review and audit granted permissions in Azure AD.

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.