ms office - Adding an additional Windows Azure AD delegated permission to an existing grant

Question

I've got an in-production Windows Azure AD App which authenticates users via OAuth2. Currently, it requests only one delegated permission - "Enable sign on and read users' profiles". I'm adding a new feature to our application which will make use of the Office 365 API(s), and this obviously requires additional delegated permissions to be requested by the App.

I've updated our App manifest, and new users who give consent to our App grant both the sign-in and the Office 365 delegated permissions, and the token endpoint response scope param is UserProfile.Read Mail.Read as expected. However, for existing users who gave consent to our App when it only requested the sign-in delegated permission, Windows Azure AD doesn't prompt them to grant the additional Office 365 delegated permission the next time they log in. For these users, the token endpoint response scope param still comes through as UserProfile.Read, i.e. the sign-in delegated permission only.

I know I can pass ?prompt=consent to https://login.microsoftonline.com/common/oauth2/authorize which will force a user to grant all requested delegated permissions, but that's a bit of a sledgehammer approach because it would ask everyone, every time, when all I want to do is catch these users where there's a difference between requested and granted delegated permissions. It wouldn't play well in the SSO experience I'm trying to maintain.

With Google OAuth, scopes are passed as query params in the authorisation request, and the user is prompted to grant consent for any scopes requested that haven't already been granted. For new users that would be all scopes, for existing users that would be the newly added scopes, and after that no additional consent would be required because all scopes would then have been granted - that's exactly what I'm trying to achieve with Windows Azure AD.

Is there some way enforce the delegated permissions configured in the App manifest as mandatory, i.e. sign-in will not complete without these delegated permissions having been granted?

Answer 1

The Azure folks are working on implementing passing scopes in each request. In the meantime, the guidance they've given is that you do not include prompt=consent with every request. Instead, if you get an Unauthorized error, then you fall back on re-requesting with prompt=consent.