How to sign in without showing consent screen?

[chriszohno]

My app uses MSAL to sign in to my MS or Azure account, but I don't need to access any MS resources. While I can make everything work by following this instruction, I'd like to bypass the consent screen altogether. I tried to use "User.Read" as scope but the consent screen is still displayed. Is there a way to bypass consent screen at all? I just want to use MS account to authenticate users.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 21db2aed-de6f-185b-bacf-ec00fbfba2bf
• Version Independent ID: 3f09d8fe-0b80-3055-3a6d-25c1de986eef
• Content: Single-page application (sign in) - Microsoft identity platform
• Content Source: articles/active-directory/develop/scenario-spa-sign-in.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @navyasric
• Microsoft Alias: nacanuma

[Alberto-Vega]

@chriszohno Thanks for the feedback! We are currently investigating and will update you shortly.

[souravmishra-msft]

Since the scope used is user.Read, which is a delegated permission means its a user permission, hence when the user access the application for the first time, he gets the consent page. Now you can bypass this page, only if a Global Admin gives the consent for this scope for all the users in the organization. In that way the consent page wont pop up whenever the users accesses it with their accounts the first time.

A Global Admin can consent in two ways:

1. Using the portal:
    Application Registration --> Select the application from the list and open --> Select API Permissions ---> Check for the button "Grant admin consent for the AzureAD-Environment"
Note: Once you hit on this button, the status column for the scope User.Read would get a green check mark, which means this admin consent is done for that scope and only for that application, but for all the users in that tenant.

2. By Global Admin himself accessing the application and providing the consent on behalf of all the users.

Hope this helps. If any further queries, feel free to let us know so that we can help further.

[umeshbarapatre]

@souravmishra-msft - This is the correct understanding. As far as the user.read permission on the above said app is given consent by the admin it would not prompt for the consent screen.

[souravmishra-msft]

@chriszohno Hope this solves your query. Let us know if you need further help on this.

@umeshbarapatre Thanks for your input as well.

Will be closing this thread now. Please reopen if needed.

[minidfx]

Interesting comments but I heard that using this way, by using the "Grant admin consent button" is a security issue. Do you have more information about that?

Can we bypass the consent screen for any customer that try to connect to a specific application by registering it in the Microsoft app gallery? Is it safer?

For instance: Customer A try to connect to the application B, is the registration into the Microsoft Application gallery gives the opportunity to skip the Admin Consent Screen by default, to avoid that each customer has to press the button "Grand admin consent".

Thank you.