You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/develop/consent-framework.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,10 +10,10 @@ ms.service: active-directory
10
10
ms.subservice: develop
11
11
ms.topic: conceptual
12
12
ms.workload: identity
13
-
ms.date: 10/21/2020
13
+
ms.date: 03/14/2022
14
14
ms.author: ryanwi
15
-
ms.reviewer: zachowd, lenalepa, jesakowi
16
-
ms.custom: has-adal-ref
15
+
ms.reviewer: phsignor, jesakowi
16
+
ms.custom:
17
17
---
18
18
19
19
# Azure Active Directory consent framework
@@ -32,17 +32,17 @@ The following steps show you how the consent experience works for both the appli
32
32
33
33
1. Assume you have a web client application that needs to request specific permissions to access a resource/API. You'll learn how to do this configuration in the next section, but essentially the Azure portal is used to declare permission requests at configuration time. Like other configuration settings, they become part of the application's Azure AD registration:
34
34
35
-
35
+
:::image type="content" source="./media/consent-framework/permissions.png" alt-text="Permissions to other applications" lightbox="./media/consent-framework/permissions.png":::
36
36
37
37
1. Consider that your application’s permissions have been updated, the application is running, and a user is about to use it for the first time. First, the application needs to obtain an authorization code from Azure AD’s `/authorize` endpoint. The authorization code can then be used to acquire a new access and refresh token.
38
38
39
39
1. If the user is not already authenticated, Azure AD's `/authorize` endpoint prompts the user to sign in.
40
40
41
-
41
+
:::image type="content" source="./media/consent-framework/usersignin.png" alt-text="User or administrator sign in to Azure AD":::
42
42
43
43
1. After the user has signed in, Azure AD will determine if the user needs to be shown a consent page. This determination is based on whether the user (or their organization’s administrator) has already granted the application consent. If consent has not already been granted, Azure AD prompts the user for consent and displays the required permissions it needs to function. The set of permissions that are displayed in the consent dialog match the ones selected in the **Delegated permissions** in the Azure portal.
44
44
45
-
45
+
:::image type="content" source="./media/consent-framework/consent.png" alt-text="Shows an example of permissions displayed in the consent dialog":::
46
46
47
47
1. After the user grants consent, an authorization code is returned to your application, which is redeemed to acquire an access token and refresh token. For more information about this flow, see [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
48
48
@@ -53,7 +53,7 @@ The following steps show you how the consent experience works for both the appli
53
53
1. Go to the **API permissions** page for your application
54
54
1. Click on the **Grant admin consent** button.
55
55
56
-
56
+
:::image type="content" source="./media/consent-framework/grant-consent.png alt-text="Grant permissions for explicit admin consent" lightbox="./media/consent-framework/grant-consent.png":::
57
57
58
58
> [!IMPORTANT]
59
59
> Granting explicit consent using the **Grant permissions** button is currently required for single-page applications (SPA) that use MSAL.js. Otherwise, the application fails when the access token is requested.
0 commit comments