How can I find the Admin Consent URL for an Azure AD App that requires Microsoft Graph "Read directory data" permission?

Question

I am going through the following example:

https://azure.microsoft.com/resources/samples/active-directory-dotnet-webapp-groupclaims/

To run the sample, I need Directory.Read.All permission on Microsoft Graph:

Configure Permissions for your application. To that extent, in the Settings menu, choose the 'Required permissions' section and then, click on Add, then Select an API, and type Microsoft Graph in the textbox. Then, click on Select Permissions and select Directory.Read.All.

Directory.Read.All needs Azure AD Admin consent.
My Azure AD Application does not have a web user interface.

What are my options to have our Azure AD admin provide consent without taking too much of his time?

Our Azure AD admin is a busy and expensive resource. It takes efforts to book his time and I am hoping that I can rehearse the consent process before I involve him.

Answer 1

You have two options: using the Azure portal, or building the consent URL.

1. With the Azure portal

   If the app is registered in the same Azure AD tenant where you want the permission, then you can ask the admin to go the app registration in the Azure portal, and then navigate to Settings > Required permissions and click Grant permissions:

   

   In the new (as of 2018-11-14) App registrations (Preview) experience, this is under API permissions > Grant admin consent for...:

   

   If you go to this screen yourself, you can copy the URL and share it with the admin to help him get to the right blade quickly.

2. Build the consent URL

   Even if your app doesn't host a web experience, you can technically still build the URL to request admin consent, though the experience isn't great. Details on how to construct the admin consent URL are in the documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#request-the-permissions-from-a-directory-admin.

   The simplest form of this is:

   https://login.microsoftonline.com/common/adminconsent?client_id={client-id}
   

   With this approach, once the admin has granted consent, he will be redirected to one of the authorized reply URLs configured in your app registration (or a specific URL, if you use the redirect_uri parameter). If this is a URL that doesn't exist, this will display an error by the browser (e.g. 404). If there are no reply URLs configured for your app registration, Azure AD will display an error (e.g. "no reply URLs configured"). You should warn the admin that this might happen, but since these errors will be displayed after consent has already been applied, they can be ignored.