Scope Azure AD for Administrator Consent and User Access

As an administrator, you have the power to grant consent for your organization to access Azure AD. To do this, you need to scope Azure AD for administrator consent, which allows you to control which applications and services have access to your organization's data.

The scope of administrator consent is defined by the permissions and access that you grant to applications and services. You can scope Azure AD to include or exclude specific permissions and access, depending on your organization's needs.

To manage user access, you can use Azure AD's built-in features, such as user groups and roles. By assigning users to specific groups or roles, you can control their access to applications and services within Azure AD.

Admin Consent is a crucial aspect of Azure AD Scopes. Admins only can consent to scopes that require admin consent, such as Employees.Write.All. This is typically used for higher-privileged operations.

Admins can grant permissions to client applications on behalf of the organization's users. For example, an administrator can grant the User.Read.All permission to a client application. This grant isn't done on behalf of any specific user, but rather the client application is granted permissions directly.

To add a scope requiring admin consent, you can follow these steps: specify the scope's attributes in the Add a scope pane, set "Who can consent" to "Admins only", and select "Add scope".

Administrator consent is required for certain permissions that are deemed too sensitive for users to grant on their own. These permissions are often referred to as admin-restricted permissions.

In the Microsoft identity platform, many higher-privilege permissions, such as reading all users' full profiles or writing data to an organization's directory, require admin approval. These permissions include User.Read.All, Directory.ReadWrite.All, and Groups.Read.All.

If an application requests access to one of these permissions from an organizational user, the user will receive an error message saying they're not authorized to consent to the app's permissions. This is because these permissions are considered too sensitive for users to grant on their own.

Admins must grant these permissions on behalf of the organization's users. This is in contrast to application permissions, which are granted directly to the client application and do not require user consent.

Here are some examples of admin-restricted permissions that require administrator consent:

These permissions should only be used by daemon services and other non-interactive applications that run in the background, as they require direct access to sensitive data.

The user or tenant admin can grant specific permissions to a client, such as Mail.Read and User.Read Microsoft Graph permissions.

In this scenario, the user or tenant administrator has already granted the necessary permissions, allowing the client to access certain resources.

For example, the user or tenant admin has granted the Mail.Read and User.Read Microsoft Graph permissions to a client, giving it access to specific data.

The client can then use these granted permissions to access the authorized resources without requiring additional consent from the user.

Permissions in Azure AD can be set to admin restricted, which means an organization's administrator must consent to those scopes on behalf of the organization's users.

Admin-restricted permissions include User.Read.All, Directory.ReadWrite.All, and Groups.Read.All, which require access to sensitive company data.

If your application requests access to one of these permissions from an organizational user, the user receives an error message saying they're not authorized to consent to your app's permissions.

These types of permissions should only be used by daemon services and other non-interactive applications that run in the background.

Here are some examples of admin-restricted permissions:

Admin-restricted permissions are a special type of permission that requires admin approval. These permissions are typically used for sensitive company data.

If your app requires admin-restricted permissions, an organization's administrator must consent to those scopes on behalf of the organization's users. This is because organizational users can't grant access to the same set of sensitive company data.

Some examples of admin-restricted permissions include User.Read.All, Directory.ReadWrite.All, and Groups.Read.All. These permissions allow your app to read all users' full profiles, write data to an organization's directory, and read all groups in an organization's directory.

If your application requests access to one of these permissions from an organizational user, the user will receive an error message saying they're not authorized to consent to your app's permissions.

Here are some examples of admin-restricted permissions:

Note that these permissions should only be used by daemon services and other non-interactive applications that run in the background.

The offline_access scope gives your app access to resources on behalf of the user for an extended time, appearing as the Maintain access to data you have given it access to permission on the consent page.

This scope is currently required for all consent pages, even for flows that don't provide a refresh token, like the implicit flow.

To receive refresh tokens, your app must explicitly request the offline_access scope on the Microsoft identity platform, requests made to the v2.0 endpoint.

The access token is usually valid for around one hour, after which your app needs to redirect the user back to the /authorize endpoint to request a new authorization code.

If consent exists, the returned token contains all scopes granted for that resource for the signed-in user.

To ensure you're requesting the offline_access scopes correctly, remember to request them along with any other necessary scopes.

You can exchange an authorization code for an access token using the Microsoft identity platform. This is done by sending a POST request to the token endpoint.

The access token is a JSON Web Token (JWT) that contains information about the user and the permissions they have been granted. You can decode the token using a tool like jwt.ms.

The token contains claims such as "aud", "appid", and "scp", which indicate the audience, client ID, and scopes that have been granted to the user. The "scp" claim is a space-separated list of scopes that the client has been granted.

The scopes that are available in the Microsoft identity platform include openid, email, profile, and offline_access. If you request these scopes, you will get a token that can be used to call the UserInfo endpoint.

The openid scope is required for apps that sign in using OpenID Connect. This scope gives the app access to the UserInfo endpoint and allows it to receive a unique identifier for the user in the form of the sub claim.

The permission to request the openid scope appears on the work account consent page as the Sign you in permission. This permission is necessary for authentication and authorization in the Microsoft identity platform.

Client configuration is a crucial step in setting up Azure AD.

The Azure AD client can be configured to use a custom domain name, which is a requirement for implementing Azure AD.

To use a custom domain name, you need to add a DNS record to your domain's DNS settings.

Azure AD supports multiple authentication methods, including password, multi-factor authentication, and smart card authentication.

Password authentication is the default method, but it's recommended to use multi-factor authentication for added security.

Multi-factor authentication can be configured to use a variety of methods, including SMS, voice calls, and authenticator apps.

Azure AD also supports conditional access policies, which can be used to control access to your organization's resources based on user location, device type, and other factors.

Conditional access policies can be used to enforce multi-factor authentication for users accessing your organization's resources from outside the corporate network.

Azure AD also provides a feature called "Cloud App Security" which can be used to monitor and control access to cloud apps.

Cloud App Security can be used to detect and prevent suspicious activity, and to enforce policies for cloud app access.

Domain and User Management is a crucial aspect of Azure AD. It allows you to manage and control access to your organization's resources and applications.

You can create and manage domains within Azure AD, which enables you to integrate your on-premises Active Directory with Azure AD. This is a great way to extend your on-premises identity and access management to the cloud.

With Azure AD, you can also manage users and their permissions, including adding and removing users, assigning roles, and managing group memberships. This helps ensure that only authorized users have access to sensitive resources and applications.

The email scope is a powerful tool that can be used in conjunction with the openid scope and other scopes to access a user's primary email address.

This email address is represented as the email claim in a token, which is only included if the user has an associated email address with their account.

You need to be prepared for the possibility that no email claim exists in the token, as not all users have an email address linked to their account.

This means your app should be able to handle this situation and adapt accordingly.

Azure AD doesn't provide identity tokens with the hd claim, so you can't restrict users based on their domain using the OIDC plugin's domains configuration.

Using a single-tenant application is a good way to restrict access to users in your directory only, as it limits sign-in to users within your own directory.

Multi-tenant apps, on the other hand, allow users with Microsoft accounts from other directories to sign in, and even permit sign-in from any Microsoft account, such as live.com or Xbox accounts.

If you choose to use a multi-tenant app, be aware that users from other directories will be able to access your application, which may not be what you intended.

Consumer mapping is essential for interacting with other Kong plugins using consumer information. You can map account data received from the identity provider to a Kong consumer by setting it as the custom_id on their consumer.

To do this, you'll need to set the custom_id to the user's Azure AD account GUID. For example, if a user logs into an Azure AD account with the GUID e5634b31-d67f-4661-a6fb-b6cb77849bcf, Kong will apply configuration associated with the consumer Yoda to their requests.

However, you may not always want to apply configuration to a specific consumer, especially if you're using plugins that require a consumer on some routes but not others. To deal with this, you can set the anonymous parameter in your OIDC plugin configuration to the ID of a generic consumer, which will then be used for all authenticated users that cannot be mapped to some other consumer.

Alternatively, you can set consumer_optional to true, which will allow similar logins without mapping an anonymous consumer.