How can I test if admin consent has already been given

Question

We are developing an Office Add-in that authenticates with an organisational account to Azure AD. The Add-in needs administrative consent. So if an administrator is logged o

Answer 1

tl;dr

Yes, you can do this. You'll want to call this MS Graph endpoint, and inspect the oAuth2PermissionGrant object for the consentType field being set to AllPrincipals.

Some Background

Using the Microsoft Graph, you can identify if admin consent was granted. When Admin Consent is granted, there are OAuth2.0 permission grants written on the app.

Inside each permission grant, there's a field that indicates the permission level of the grant. For Admin Consent, you would be looking for AllPrincipals.

Detailed Steps

1. Wire up your app to call the Microsoft Graph. Make sure it's requesting all the required permissions to call the required endpoint. This is different in the case of a delegated (on behalf of the end user) or an app role.

App Role: Directory.Read.All & Directory.ReadWrite.All

Delegated Permission: Diretory.Read.All, Directory.ReadWrite.All, or Directory.AccessAsUser.All in order of least to most privileged.

2. Call the GET /oAuth2PermissionGrant endpoint of MS Graph.

This returns back an oAuth2PermissionGrant object with the details you're looking for.

3. Inspect the response for the consentType field. You may need to enumerate all the grants looking for the value AllPrincipals.