We have a client application, which calls Web API, which in turn calls Microsoft Graph. I've read the documentation about granting admin consent in the Azure portal, but I still fear pressing that button because I don't understand some concepts:

1. Do Grant Admin Consent on a page of app A allows application A to access all of its required scopes, or allow OTHER applications to access application A scopes, defined in "Expose API"?
2. Do I need to grant admin consent to both client app and web API? Or I must grant it only for web API, and make the client app pre-authorized?
3. Do "Grant Admin Consent" allows an application to call Microsoft Graph on its own, bypassing on-behalf-of flow? For example, can web API call Microsoft Graph without the need to have a user access token?
4. If we add a new user to our AD, will I need to press "Grant Admin Consent" again?
5. Are there any differences between "Grant admin consent" on "App Registration" and "Enterprise applications" pages?

CodePudding user response：

1. Do Grant Admin Consent on a page of app A allows application A to access all of its required scopes, or allow OTHER applications to access application A scopes, defined in "Expose API"?

Admin consent allows app A to use all delegated and application permissions on its API permissions page, no permissions are given to other applications to app A.

2. Do I need to grant admin consent to both client app and web API? Or I must grant it only for web API, and make the client app pre-authorized?

You should grant it for both most likely. Per the first answer, granting consent to the client won't give e.g. MS Graph access to the API app. Users would be prompted for consent if the client is a "known client" of the API app (added to knownClientApplications property in manifest). This is useful for multi-layer multi-tenant apps but might not be useful in your scenario.

3. Do "Grant Admin Consent" allows an application to call Microsoft Graph on its own, bypassing on-behalf-of flow? For example, can web API call Microsoft Graph without the need to have a user access token?

Only if you grant it Application permissions. Delegated permissions always require a user context to call the API.

4. If we add a new user to our AD, will I need to press "Grant Admin Consent" again?

No. In case of delegated permissions, admin consent creates an OAuth2PermissionGrant object with a null principalId. This makes it apply to all users, current and future.

5. Are there any differences between "Grant admin consent" on "App Registration" and "Enterprise applications" pages?

I've never used one in Enterprise application page so I can't say for sure. But I'm guessing it is the same thing. Permissions are always given to the service principal (enterprise app) instead of the app registration. When you click the Grant admin consent in app registration, it modifies the entities for its service principal in your tenant.