可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

I have a multi-tenant application that requires the end-user to grant a specific set of permissions when accessed. I now need to add a permission to the application and need the end-user to re-grant the application for it to be effective.

That being said, I would really like to check the user's current application in their AAD to verify what set of permissions they have already granted. With that, I could check if I need to make them re-grant or not and have a nice end-user experience.

The closest I have found is using the following Microsoft Graph API endpoint: 'https://graph.microsoft.com/beta/oAuth2Permissiongrants'

This lists the Service Principals in their tenant along with their required permission scopes. This isn't a solution since the Service Principal's permission scopes aren't the same as the application's.

The second possible solution is using the following AAD Graph Api endpoint: 'https://graph.windows.net/{tenantid}/applications'

Sadly, this also isn't viable since it doesn't return "Enterprise Applications".

Anyone know how to accomplish what I'm trying to do? Thanks

回答1:

If I understand your problem correctly you want to get back a list of the permissions that were successfully consented by a person to an application.

For example, if I create a client application, and I request "User.Read" and "Group.ReadAll", and a user has signed into my application and consented to those permissions, you want to see where in the directory that information is stored.

If so, you want to use the OAuth2PermissionGrant Entity as noted here for Microsoft Graph.

{
  "clientId": "string",
  "consentType": "string",
  "expiryTime": "String (timestamp)",
  "id": "string (identifier)",
  "principalId": "string",
  "resourceId": "string",
  "scope": "string",
  "startTime": "String (timestamp)"
}

Note that consent to an application will ALWAYS be represented as a link to a Service Principal representing that application, not the Application Object.

I hope this helps!

回答2:

You will need to do this in two steps using the AAD Graph API endpoint.

First step is to retrieve the objectID of your application on that tenant from the response of:

https://graph.windows.net/{tenantId}/servicePrincipals?$filter=appId eq '{AppID}'
Second is to then use oauth2PermissionGrants from AAD endpoint in this case:

https://graph.windows.net/{tenantId}/servicePrincipals/{ObjectID}/oauth2PermissionGrants

This will give you a list of the permissions consented for that application on that tenant under the field scope.