{"id":7113,"date":"2020-04-29T19:42:30","date_gmt":"2020-04-29T19:42:30","guid":{"rendered":"https:\/\/blogs.aaddevsup.xyz\/?p=7113"},"modified":"2020-04-29T19:42:33","modified_gmt":"2020-04-29T19:42:33","slug":"control-access-to-your-apps-in-azure-ad","status":"publish","type":"post","link":"https:\/\/blogs.aaddevsup.xyz\/2020\/04\/control-access-to-your-apps-in-azure-ad\/","title":{"rendered":"Control access to your apps in Azure AD"},"content":{"rendered":"\n<p>We get this kind of question all the time. It comes in many variations and forms like\u2026<\/p>\n\n\n\n<p>&#8220;I only want to consent for some users to access the app.&#8221;<\/p>\n\n\n\n<p>&#8220;I only want my service account to access this app&#8221;<\/p>\n\n\n\n<hr class=\"wp-block-separator is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Before we get started\u2026<\/h2>\n\n\n\n<p>First and foremost, only consenting for allowed users is not the solution. This is not the purpose for consent. Consent is to inform a user or admin what the application is accessing and to give the user or admin an option to accept or deny the requested permissions. Administrators should not be using this to determine who has access to an application. Once the permissions are consented, then we will only allow the app to access the requested permissions and no more.<\/p>\n\n\n\n<p>For more information about the Azure AD Consent Framework\u2026<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/consent-framework\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/consent-framework<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Let&#8217;s get started\u2026<\/h2>\n\n\n\n<p>If you want to control access to an application, then you should be enabling the requirement of user assignment on the Enterprise application then assign the user, group, or service principal to the application.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">First: Perform admin consent<\/h3>\n\n\n\n<p>Make sure an administrator has performed an Admin consent on the required permissions. This is a requirement in order to restrict user access. Otherwise, you will see various consent related messages or you need admin approval.<\/p>\n\n\n\n<p>For troubleshooting consent issues, see the following article&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-azure-active-directory-developer-support-team\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"ISFKXxfpuX\"><a href=\"https:\/\/blogs.aaddevsup.xyz\/2020\/04\/troubleshooting-consent-in-azure-ad\/\">Troubleshooting consent in Azure AD<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Troubleshooting consent in Azure AD&#8221; &#8212; Azure Active Directory Developer Support Team \" src=\"https:\/\/blogs.aaddevsup.xyz\/2020\/04\/troubleshooting-consent-in-azure-ad\/embed\/#?secret=5jYKBwbQ06#?secret=ISFKXxfpuX\" data-secret=\"ISFKXxfpuX\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<hr class=\"wp-block-separator is-style-dots\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Second: Enable <strong>User assignment required<\/strong>\u2026<\/h3>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/assign-user-or-group-access-portal#configure-an-application-to-require-user-assignment\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/assign-user-or-group-access-portal#configure-an-application-to-require-user-assignment<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator is-style-dots\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Third: Assign users, groups, service principals<\/h3>\n\n\n\n<p>Once user assignment is required, now assign the user, groups, or service principal to the application\u2026<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>If it&#8217;s a Web Application\u2026<\/strong><\/h4>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/assign-user-or-group-access-portal#assign-users-or-groups-to-an-app-via-the-azure-portal\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/assign-user-or-group-access-portal#assign-users-or-groups-to-an-app-via-the-azure-portal<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>If it&#8217;s a Public Client\u2026<\/strong><\/h4>\n\n\n\n<p>If the application is enabled as a Public Client type so that you can use Windows Authentication, Resource Owner Password Credential flow, or Device Code flow, then this is a bit trickier&#8230;<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>First, disable the Public Client configuration within the application registration\u2026 <img decoding=\"async\" src=\"\/wp-content\/uploads\/2020\/04\/042320_1714_Onlyallowce1.png\" alt=\"\"><\/li><li>Then perform the step above under <strong>&#8220;If it&#8217;s a Web Application&#8221; <\/strong>to assign users, groups, or service principals to the application.<\/li><li>Then re-enable the Public Client configuration.<\/li><\/ol>\n\n\n\n<p>Optionally, you can also use Azure AD PowerShell\u2026 (Especially if you do not own the application to disable Public client type.)<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/assign-user-or-group-access-portal#assign-users-or-groups-to-an-app-via-powershell\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/assign-user-or-group-access-portal#assign-users-or-groups-to-an-app-via-powershell<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">When user assignment is required&#8230;<\/h2>\n\n\n\n<p>Once user assignment is required, then only those users will be able to access the application. Users who do not have access will get the following similar error message&#8230;<\/p>\n\n\n\n<p style=\"color:red;\">AADSTS50105:&nbsp;The&nbsp;signed&nbsp;in&nbsp;user&nbsp;&#8216;{EmailHidden}&#8217;&nbsp;is&nbsp;not&nbsp;assigned&nbsp;to&nbsp;a&nbsp;role&nbsp;for&nbsp;the&nbsp;application&nbsp;&#8216;{app-id}'({app-display-name}).<\/p>\n\n\n\n<hr class=\"wp-block-separator is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Other Tips\u2026<\/h2>\n\n\n\n<p>You can also do this for other resources such as an API. Just follow the steps above applying them to the resource&#8217;s Enterprise app. Be careful and don&#8217;t do this for Microsoft first-party apps as you might break apps like Outlook, Power BI, SharePoint, ect\u2026<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We get this kind of question all the time. It comes in many variations and forms like\u2026 &#8220;I only want to consent for some users to access the app.&#8221; &#8220;I only want my service account to access this app&#8221; Before we get started\u2026 First and foremost, only consenting for allowed users is not the solution. This is not the purpose for consent. Consent is to inform a user or admin&hellip;<\/p>\n","protected":false},"author":12,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,5,210],"tags":[17,36],"class_list":["post-7113","post","type-post","status-publish","format-standard","hentry","category-app-registration","category-azure-ad","category-enterprise-application","tag-aad","tag-authentication"],"_links":{"self":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/7113"}],"collection":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/comments?post=7113"}],"version-history":[{"count":11,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/7113\/revisions"}],"predecessor-version":[{"id":7132,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/7113\/revisions\/7132"}],"wp:attachment":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/media?parent=7113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/categories?post=7113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/tags?post=7113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}