I have an existing custom application that integrates with Yammer in Azure AD. Within this application, I utilize the user_impersonation delegated permission to get data posted on the Yammer network. Additionally, my application requests the Sites.Read.All permission to access SharePoint attachments shared in Yammer.
My current process involves:
- obtaining an access token for
user_impersonationvia Oauth flow for user_impersonation - obtaining admin consent by directing administrators to the following URL:
https://login.microsoftonline.com/common/adminconsent?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&state=12345&redirect_uri=http://localhost/myapp/permissions.
I will be using this consent to later on get an access token for
Sites.Read.All via client-credentials flow.
However, I've noticed that when an administrator grants consent, it extends consent to all the permissions configured in the Azure AD app. I've recently found a v2 endpoint for admin consent where I can pass the list of scopes in the consent URL. While the delegated 'user_impersonation' permission suffices for accessing all the data in the Yammer network, I've noticed that with admin consent, it seems like I'm obtaining additional permissions.
Given this setup, what could be the implications of admin consent for the user_impersonation delegated permission within my existing custom app?
I created an Azure AD Application and added API permissions:
To grant admin consent I used the below endpoint:
The admin consent granted to the API permissions:
For sample, you can also revoke the admin consent for one API permission if you don't need it like below:
user_impersonationdelegated permission enables the application to connect to the Yammer network on behalf of the user and access all the Yammer data.Sites.Read.Allpermission is granted.Reference:
Overview of permissions and consent in the Microsoft identity platform - Microsoft Entra