Consent for Microsoft.Graph openid / User.Read not requested as soon as app registration has other scopes granted

David Schneiderbauer 0 Reputation points
2024-09-09T09:53:37.0566667+00:00

Observed behavior:

Create an app registration without any API permissions.
Perform Auth Code with PKCE flow with scopes "openid profile email".
=> Consent is requested for Microsoft Graph openid & User.Read

Why is User.Read consent requested by default? My understanding is that User.Read is only required if my application wants to fetch the user profile from Microsoft Graph API?

Create an app registration with API permissions for "my-test-app/my-scope" and grant admin consent.
Perform Auth Code with PKCE flow with scopes "openid profile email my-test-app/my-scope".
=> Consent is NOT requested for Microsoft Graph openid & User.Read and token retrieval is successful. idtoken is part of the response as well.

Why is no consent requested anymore? I understand that my-test-app/my-scope is not requested it is granted already. But why isn't openid requested anymore?
The openid scope as documented must be requested when using OpenID Connect to be able to signin, but it obviously works without granting consent to openid as well.

Expected behavior:

I would have expected that Microsoft Graph openid is required at all times, no matter if there is another applications' permission granted.
Additionally I would not expected User.Read scope to be requested as this should only be required when I need to access the user profile from Microsoft Graph API.

Can you please clarify this behavior and help me out with my confusion?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,420 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 9,640 Reputation points Microsoft Vendor
    2024-09-12T10:00:36.1166667+00:00

    Hi @David Schneiderbauer

    Thank you for posting this in Microsoft Q&A.

    Yes, you are correct that User.Read is only required when your application wants to fetch the user profile from Microsoft Graph API. When you create app registration by default User.Read permissions will be added. However, when you request the openid scope, Microsoft Entra id automatically includes the User.Read permission as an implied permission. This is because the openid scope is used for authentication, and Entra needs to read the user's profile to authenticate them, and consent was requested for both OpenID and User.Read.

    When you requested the openid scope along with your custom scope my-test-app/my-scope, Entra ID did not request consent for openid because the admin consent had already been granted. This is known as "incremental consent," where Entra ID only requests consent for the new permissions that are being requested, rather than re-requesting consent for all permissions. While using OpenID scope in the request you will get ID token along with access token.

    In summary, the behavior you are observing is expected and is due to the way that Microsoft Entra id handles consent and scopes.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.