Azure App Registration get Date of consent given for multi tenant app

Agyss
September 25, 2023
218 views
0 votes
2 Answers

I have a multi tenant app running and received a request from a "customer" where he claims that he never gave consent to my terms of service and privacy statement. While I claimed that since the beginning the two fields were set in my app registration and required for the use of the app, I did not find any means to prove this, nor any API-Endpoint where I could verify the date the "customer" gave consent to the two links which are configured.

Is there any API (or other possibility) to get the date a customer gave consent to my app registration?

Answers

- Sridevi
- September 23, 2023 at 1:01 pm
- 0 votes
0
To get the date on which customer gave consent, you can run below MS Graph query:
```
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDisplayName eq 'Consent to application' and result eq 'success' and targetResources/any(c:c/id eq 'spObjID') and initiatedBy/user/id eq 'userId'
```
I registered one Multi-tenant application named SriMultiApp in one Azure AD directory and got consent prompt when user signs in with below request:
```
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&client_id=<appId>&redirect_uri=https://jwt.ms&scope=User.Read&response_mode=form_post&prompt=consent&nonce=123456778
```
Once the user accepted the above consent, it will be reflected in Permissions tab of your Enterprise application like this:

You can find the date on which customer gave consent to app registration by checking Audit logs of your application:

When I ran below query in Graph Explorer by signing in with Global Administrator account, I got date in activityDateTime variable successfully:
```
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDisplayName eq 'Consent to application' and result eq 'success' and targetResources/any(c:c/id eq 'spObjID') and initiatedBy/user/id eq 'userId'
```
Response:
Login or Signup to reply.

- PhilippeSignoret
- September 25, 2023 at 9:06 pm
- 0 votes
0
A customer’s Entra (formerly known as Azure AD) audit logs would have included a record every time consent was granted for an app: Microsoft Entra audit logs.

In the general case (where you and your customer are from two different organizations, each with your own Entra tenants), you as the app developer/publisher, will not have access to the customer’s audit logs, and will not have a record on your side of the consent being granted.

Some considerations about the Entra consent prompt:
1. It’s for authorizing an app to access customer-controlled data, at resources (e.g. APIs) secured by Entra ID.
2. There’s no guarantee all users who use the app have seen the consent prompt. A sufficiently privileged admin can consent on behalf of all users.
3. There is no guarantee or telemetry about whether the user clicked on the app’s terms and privacy links.
4. There is no record of what the URLs or the content behind those URLs were at the time when consent was granted.
In short: if you have requirements to obtain customer consent for something other than API access (e.g. for your terms of service or privacy policy or other agreement), you need to build that into your app.

Note: In the general case of a multi-tenant app, consent is needed in order for a user to successfully sign in. If your app kept a record of when the users in that organization first successfully signed in, that’s when (those users, at least) granted consent.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.