I’m loosely following this tutorial (but instead of making calls using ‘curl’, it’s being done in React & .net):
https://learn.microsoft.com/en-us/entra/identity-platform/howto-call-a-web-api-with-curl?tabs=dotnet6&pivots=no-api

Setup:

Mimicking the tutorial, I’ve registered two applications within Entra; one for the api (.net) and another for the client (React/Javascript); they are both under the same organization/tenant.

The api application has a ‘Files.ReadWrite’ delegated permission (Admin consent not required) and an ‘Expose an Api’ scope created named ‘api://{clientIdApi}/FileAccess’.

The client application simply has a delegated permission for the api scope defined above.

Process:

Client opens browser window for the following url:

https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize?client_id=${clientIdUI}&response_type=code&response_mode=query&redirect_uri=${redirectUrl}&scope=api://{clientIdApi}/FileAccess&prompt=consent

Problem:

When the user is prompted for permission consent, it never includes the ‘Files.ReadWrite’ permission set in the api application. There is consent for the client application’s permission for the exposed api scope. And there is consent for the api for ‘View users’ basic profile’ and ‘Maintain access to data you have given it access to’ (although I’m uncertain why this one is prompted).

Expectation

The consent prompt would include the permissions added to the api application (Files.ReadWrite). When navigating to the ‘Enterprise Applications => Permissions => User Consent’ section, the user would be displayed under the ‘Granted By’ column after they accepted the consent prompt for ‘Files.ReadWrite’. This is how it works when viewing the api scope permission on the client application’s view (although this does appear in the consent prompt).

Notes

This example is a simplified version of a larger process but it boils down to a user unable to consent delegated permissions set on an api application. The whole process works if the user has already consented to these permissions but there is something I’m not understanding with api scopes and user consenting delegated permissions on that scope.

Any help would be greatly appreciated and happy to elaborate more if needed!