Azure AD 提示用户/管理员在更改应用程序权限后重新同意 [英] Azure AD prompt user/admin to re-consent after changing application permissions

问题描述

我正在构建一个 SaaS 应用程序，它将使用 Azure AD 对用户进行身份验证.假设我在同意提示期间仅向用户请求 1 个委派权限，并且用户接受了它.

I am building a SaaS app that will be authenticating users using Azure AD. Let's say I am asking for just 1 delegated permission from user during consent prompt and user accepts it.

稍后我的应用会发展并需要获得更多委派权限.在这种情况下，我如何使用同意页面重新提示用户?当权限发生变化时，我只想这样做一次.

Later on my app evolves and need to get more delegated permissions. In that case how do I re-prompt the user with the consent page? I would like do this only once when the permissions are changing.

我是否需要在我的应用中跟踪每个用户已同意哪些权限，然后确定在重定向到身份验证页面时添加 prompt=admin_consent 查询参数?

Do I need to track in my app what permissions each user has consented to and then determine to add the prompt=admin_consent query parameter while redirecting to the auth page?

推荐答案

prompt=admin_consent 在管理员需要为其组织提供同意时使用.如果您只需要用户的同意，则使用 prompt=consent.

The prompt=admin_consent is used when an administrator needs to provide consent for their organization. If you just require the users’s consent, you use prompt=consent.

另外一种方式是可以重定向到登录页面添加提示参数重新同意当app因为缺少调用新API的权限而得到异常时.

Another way is that you can redirect to the login page to add the prompt parameter to re-consent when the app get the exception because the lack of permission to call the new API.

您也可以考虑使用支持增量和动态同意的 V2.0 端点.

You could also consider use the V2.0 endpoint which support the incremental and dynamic consent.

这里是关于Azure AD V2.0 端点供您参考.

Here is the document about Azure AD V2.0 endpoint for your reference.

这篇关于Azure AD 提示用户/管理员在更改应用程序权限后重新同意的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！