Azure AD will now record consent for mobile client apps

We'll be rolling out an update to the way that we record consent grants in the coming weeks. With this change, we will start to centrally record consent given by users to mobile or native client apps (like applications on mobile devices like laptops, PCs, iOS and Android) that access Microsoft APIs (like Microsoft Graph, Office 365 and Azure AD). Recording consent centrally is something that already happens for web apps. Now we are extending this to mobile client apps so that end users and administrators can have a consistent experience for using and managing both types of app.

What does this mean for end users?

  1. Consent is required one-time only per app, and is good across all devices for the same app, which was not the case previously.
  2. App revocation is now possible. Revocation is performed once, and revokes the app across all devices.  End user revocation (of the mobile app's access to user data) can be accomplished through the Office 365 portal: https://portal.office.com/account/#apps.
  3. For existing mobile apps that users have already consented (prior to this change), the app continues to work as before.  The app will only show up in the Office 365 portal after the user has been asked to re-consent.

What does this mean for administrators?

  1. Admins can now consent for mobile client apps on behalf of their organization.
  2. The mobile application will now appear in the Azure Management Portal applications list.
    1. The app dashboard shows app usage
    2. Admins can apply policy for the app (conditional access and assigning the app to users to control access)
  3. Any operations on mobile client apps (consent, revocation, app assignment, conditional access, sign in etc) will now show up in audit logs.

What does this mean for developers?

Developers will now be able to write apps that can query Azure AD (through Azure AD or Microsoft Graph) to get consented mobile app and any consent or assignment links for those applications.