I have a multi tenant app running and received a request from a "customer" where he claims that he never gave consent to my terms of service and privacy statement. While I claimed that since the beginning the two fields were set in my app registration and required for the use of the app, I did not find any means to prove this, nor any API-Endpoint where I could verify the date the "customer" gave consent to the two links which are configured.
Is there any API (or other possibility) to get the date a customer gave consent to my app registration?
2
Answers
To get the date on which customer gave consent, you can run below MS Graph query:
I registered one Multi-tenant application named
SriMultiApp
in one Azure AD directory and got consent prompt when user signs in with below request:Once the user accepted the above consent, it will be reflected in
Permissions
tab of your Enterprise application like this:You can find the date on which customer gave consent to app registration by checking Audit logs of your application:
When I ran below query in Graph Explorer by signing in with Global Administrator account, I got date in
activityDateTime
variable successfully:Response:
A customer’s Entra (formerly known as Azure AD) audit logs would have included a record every time consent was granted for an app: Microsoft Entra audit logs.
In the general case (where you and your customer are from two different organizations, each with your own Entra tenants), you as the app developer/publisher, will not have access to the customer’s audit logs, and will not have a record on your side of the consent being granted.
Some considerations about the Entra consent prompt:
In short: if you have requirements to obtain customer consent for something other than API access (e.g. for your terms of service or privacy policy or other agreement), you need to build that into your app.
Note: In the general case of a multi-tenant app, consent is needed in order for a user to successfully sign in. If your app kept a record of when the users in that organization first successfully signed in, that’s when (those users, at least) granted consent.