更改应用程序权限后，Azure AD提示用户/管理员重新同意 [英] Azure AD prompt user/admin to re-consent after changing application permissions

问题描述

我正在构建一个SaaS应用，该应用将使用Azure AD对用户进行身份验证. 假设我在同意提示中只要求用户授予1个委派权限，然后用户接受.

I am building a SaaS app that will be authenticating users using Azure AD. Let's say I am asking for just 1 delegated permission from user during consent prompt and user accepts it.

我的应用程序后来有所发展，需要获得更多的委托权限.在那种情况下，我该如何用同意页面重新提示用户?当权限更改时，我只想执行一次.

Later on my app evolves and need to get more delegated permissions. In that case how do I re-prompt the user with the consent page? I would like do this only once when the permissions are changing.

我是否需要在我的应用程序中跟踪每个用户同意的权限，然后确定在重定向到身份验证页面时添加prompt=admin_consent查询参数?

Do I need to track in my app what permissions each user has consented to and then determine to add the prompt=admin_consent query parameter while redirecting to the auth page?

推荐答案

prompt=admin_consent用于管理员需要为其组织提供同意的情况.如果只需要用户的同意，则使用prompt=consent.

The prompt=admin_consent is used when an administrator needs to provide consent for their organization. If you just require the users’s consent, you use prompt=consent.

另一种方法是，您可以重定向到登录页面以添加提示参数，以便在应用程序由于缺少调用新API的权限而导致异常时重新同意.

Another way is that you can redirect to the login page to add the prompt parameter to re-consent when the app get the exception because the lack of permission to call the new API.

您还可以考虑使用支持增量和动态同意的V2.0端点.

You could also consider use the V2.0 endpoint which support the incremental and dynamic consent.

此处是关于Azure AD V2.0终结点，供您参考.

Here is the document about Azure AD V2.0 endpoint for your reference.

这篇关于更改应用程序权限后，Azure AD提示用户/管理员重新同意的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！