i as an admin created an microsoft entra app registration and did not add any delegated permissions like 'File.ReadWrite' to it
i use delegated oauth2.0 with authorization code and user consent to authorize. i use scope 'File.ReadWrite' in the api request
User A tries to authorize with scope 'File.ReadWrite' and sees the consent screen
Even if the permission wasn't there added in the app registration, user was able to consent and it shows as granted by user in the User section of enterprise application
i didn't expect this to work, as admin cannot restrict the scopes its users can consent to
i as an admin created an microsoft entra app registration and did not add any delegated permissions like 'File.ReadWrite' to it
i use delegated oauth2.0 with authorization code and user consent to authorize. i use scope 'File.ReadWrite' in the api request
User A tries to authorize with scope 'File.ReadWrite' and sees the consent screen
Even if the permission wasn't there added in the app registration, user was able to consent and it shows as granted by user in the User section of enterprise application
i didn't expect this to work, as admin cannot restrict the scopes its users can consent to
Share Improve this question asked Feb 10 at 18:20 codexcodex 234 bronze badges1 Answer
Reset to default 0In Entra Apps we have two types of permissions... 1.> DELEGATED PERMISSIONS and 2> APPLICATION PERMISSIONS
For DELEGATED PERMISSIONS there are few permissions that require consent from admin ....these permissions have their field of "Admin consent required" as true/required...
Permissions that don't have consent from admin marked as true they get assigned automatically once the user goes through Oauth and gives his/her consent.
Hope this helps! Thank you.