How to Revoke the Consent for an Office 365 app
To use data from Office 365 Services, like Azure AD, OneDrive, Outlook etc., you can use a single API-endpoint called Microsoft Graph. Everything to get started with the Microsoft Graph is available at the portal under http://graph.microsoft.io.
The steps to build an app are:
- Register your app under https://apps.dev.microsoft.com
- Add authentication to your app using OpenID Connect / OAuth2
- Use the Microsoft Graph
- either directly via HttpClient and REST
- or via SDK for your platform
The portal mentioned in the first point assumes that you want to use the Azure AD v2.0-endpoint that sits under this URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize. The Azure AD v2.0-endpoint supports not only business & school accounts, it also supports personal Microsoft accounts (former Windows Live accounts).
The best way to get started with app development and Microsoft Graph integration is by looking at the samples from the Microsoft Graph team under https://github.com/microsoftgraph.
After you’ve build an app using the Microsoft Graph and the Azure AD v2.0-endpoint, you’ll notice that the user is redirected to https://login.microsoftonline.com for the authentication/authorization. First he needs to enter username/password and in a second step he needs to consent to the authorization of the application, or for sure he can also cancel. In a UWP-application the two steps happen in a popup. For the second step the popup looks like below:
As you can see, the app ThomasSampleApp (that’s the name I’ve used for the app-registration on https://apps.dev.microsoft.com) wants to view your basic profile, it wants to sign in as you, send emails as you etc. When you’ve accepted this, the app can access the Microsoft Graph to do all that stuff.
Now when you restart the app again, you just have to enter the username/password in the first step, but the second step – asking to consent the authorization of the app like in the picture above – never pops up again. That means that the consent is stored. But where is it stored?
I’ve researched a bit, and then I came across this blog-post: MSDN Blog about consent for apps using office 365 apis. At the bottom it has a section “How end users can revoke consent”. Exactly what I need.
To revoke the consent to the apps authorization, we need to differentiate between Web and native applications.
Let’s start with the native apps:
Native applications like my UWP-app are storing the consent as part of the Refresh Token. This means I need to uninstall the app. When I install the app again, the consent is no more there. If I’m using the app again, it works like for the very first time: In the first step I’m asked to enter my username/password and in the second step I’m asked to consent to the apps authorization.
Now how does it work with web apps?
I just quote from the blog-post mentioned above: “For web server apps, the user can sign on with their organizational account and go to http://myapps.microsoft.com. From there, they can see the applications that they have consented to and they can revoke access.”
So that’s it.
Have fun and happy coding,
Thomas
Comments (2)
Hey Thomas. Thanks for this.
Question: How do we force a new consent? I am creating a Windows Forms app (don’t judge me!), and during testing I’ve had to update the app permissions, yet the token does not contain the new permissions.
Hi Paul, there’s nothing wrong with Windows Forms. :-) I tried the stuff with UWP-apps, and re-installing the apps worked to get asked again. I haven’t checked if there’s a specific API you could call to do it.