End-Users can no longer grant consent to Unverified Multi-Tenant apps – what this means for you

I missed this announcement a month ago, but from November 9th, Microsoft have implemented a change to how consent is granted.

If you’re not an application publisher, then you might think this doesn’t affect you … BUT MAYBE IT DOES!  Read on to understand exactly what a multi-tenant is, and why you might have them.

This affect multi-tenant apps from Unverified Publishers, which require consent:

For these applications, users will no longer be able to consent, via the standard permissions dialog box:

From the announcement:

End users will no longer be able to consent to new multi-tenant apps registered after November 8th, 2020 coming from unverified publishers. These apps may be flagged as risky and will be shown as unverified on the consent screen. Apps requesting basic sign-in and permissions to read user profile will not be affected, nor will apps requesting consent in their own tenants.

I take this to mean that administrators will still be able to grant tenant-wide consent to these apps if needed.

What are Multi-Tenanted Apps?

Multi-tenanted apps are ones that users in any Azure AD directory can sign into (not just users in your tenant).  However… if you are creating an app registration for a Bot Framework/Azure Web App Bot – these need to use a multi-tenant app. Same for App Templates (see Step 1 of the Icebreaker Deployment Guide for instance).

This means that even if you’re not an application developer that provides applications to lots of different tenants you might still be impacted by this. Even developers creating internal applications which are based around Bot Framework will have to think carefully about using the same application registration for any additional workloads which require permission consent (or try and get an admin to consent for the entire tenant).

What are Verified Publishers?

Publisher verification helps admins and end users understand the authenticity of application developers integrating with the Microsoft identity platform.

There is no cost to verification, but there are some requirements. Depending on the size and complexity of your organisation this will either be a simple or complex process. Pre-requisites include:

• An MPN ID for a valid Microsoft Partner Network account that has completed the verification process. This MPN account must be the Partner global account (PGA) for your organization.
• An app registered in an Azure AD tenant, with a Publisher Domain configured.
• The domain of the email address used during MPN account verification must either match the publisher domain configured on the app or a DNS-verified custom domain added to the Azure AD tenant.
• The user performing verification must be authorized to make changes to both the app registration in Azure AD and the MPN account in Partner Center.
  • In Azure AD this user must be a member of one of the following roles: Application Admin, Cloud Application Admin, or Global Admin.
  • In Partner Center this user must have of the following roles: MPN Admin, Accounts Admin, or a Global Admin (this is a shared role mastered in Azure AD).
• The user performing verification must sign in using multi-factor authentication.
• The publisher agrees to the Microsoft identity platform for developers Terms of Use.

You can read more about Publisher verification on the Microsoft docs page devoted to it.