I am currently looking at Enterprise Applications, User Consent etc in AzureAD. I am located in the EU.
We might have a problem. People are using OAuth2 to authenticate towards 3rd party services, gets nice semi-SSO etc. Works great. But the problem is, that users gives 3rd parties access to personal data that can not be shared with a 3rd party without a data processing agreeement, Risk assesment, and Article 30 document.
One example is an app called "LinkedIn Microsoft Graph Connector" - Users has given it consent to read "relevant people lists", which is defined as "Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype)."
So clearly personal data, much of it not owned by the end-user (organization's directory). So data that the user giving the consent is clearly not authorized to give consent to if he is in the EU, and most likely not so elsewhere. Microsoft knows the directory is company property, and not property of each individual user. We are not sure if Microsoft uses the directory, but just asking consent from someone who is not authorized to do so is clearly in a legal grayzone.
Can we get some higher level control of what we want users to consent to.
We also want to control what the user can give offline access (I assume that is long access tokens) to. It is OK if the app is running on the end-users device, it is NOT ok if it is running in the cloud, as that has GDPR impact.
We might have a problem. People are using OAuth2 to authenticate towards 3rd party services, gets nice semi-SSO etc. Works great. But the problem is, that users gives 3rd parties access to personal data that can not be shared with a 3rd party without a data processing agreeement, Risk assesment, and Article 30 document.
One example is an app called "LinkedIn Microsoft Graph Connector" - Users has given it consent to read "relevant people lists", which is defined as "Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype)."
So clearly personal data, much of it not owned by the end-user (organization's directory). So data that the user giving the consent is clearly not authorized to give consent to if he is in the EU, and most likely not so elsewhere. Microsoft knows the directory is company property, and not property of each individual user. We are not sure if Microsoft uses the directory, but just asking consent from someone who is not authorized to do so is clearly in a legal grayzone.
Can we get some higher level control of what we want users to consent to.
We also want to control what the user can give offline access (I assume that is long access tokens) to. It is OK if the app is running on the end-users device, it is NOT ok if it is running in the cloud, as that has GDPR impact.