[GH-ISSUE #4472] [Feature Request]: Webhooks for App Consent Requests need more fields included #2050

New issue

Closed

opened 2026-03-02 13:49:14 +03:00 by kerem · 8 comments

kerem commented 2026-03-02 13:49:14 +03:00

Owner

Copy link

Originally created by @dszp on GitHub (Jul 28, 2025).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4472

Please confirm:

• I have searched existing feature requests (open and closed) and found no duplicates.
• **me or my organization is currently an active sponsor of the product at the $99,- level. (see https://github.com/orgs/servant42inc/people to validate I'm a member of the same org as the same-company-name user account that sponsors)

Problem Statement

When a webhook is triggered with the Command Get-CIPPAlertNewAppApproval ("Alert on new apps in the application approval list") it does not contain enough information to be fully actionable.

The alerts noted in this webhook contain these fields currently:

• AppName
• RequestUser
• AppId
• Scopes
• ConsentURL
• Tenant

It would be helpful to have additional fields added to this grouping:

• Creation/request date
• Status (as displayed in the CIPP UI)
• Action Taken By (if it has been actioned)
• TenantID (GUID) in addition to the Tenant name field

Related but haven't opened a separate request for yet, would also love to be able to approve or deny the app from with in the CIPP UI rather than having to open the ConsentURL with permissions in the client tenant. Maybe this is not possible? Alternately, a way to copy the requested app to a new App Deployment standard to add consent with the requested permissions directly would be helpful. Can submit this request separately if it's even possible--just having more info in the webhook would make this more useful immediately.

Benefits for MSPs

Notifications or tickets we create from the app consent webhook notifications would be able to present a more holistic status of the request to MSP employees for evaluation and action, and including the status would allow for filtering to only alert on actionable (pending) notifications.

Value or Importance

The missing information is critical to being able to only alert on actionable app consent requests from the webhook call, since no status is included. The rest of the fields are less of a priority, but the Status field is reasonably critical for the specific use case.

PowerShell Commands (Optional)

No response

Originally created by @dszp on GitHub (Jul 28, 2025). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4472 ### Please confirm: - [x] **I have searched existing feature requests** (open and closed) and found no duplicates. - [x] **me or my organization is currently an active sponsor of the product at the $99,- level. (see https://github.com/orgs/servant42inc/people to validate I'm a member of the same org as the same-company-name user account that sponsors) ### Problem Statement When a webhook is triggered with the Command `Get-CIPPAlertNewAppApproval` ("Alert on new apps in the application approval list") it does not contain enough information to be fully actionable. The alerts noted in this webhook contain these fields currently: - AppName - RequestUser - AppId - Scopes - ConsentURL - Tenant It would be helpful to have additional fields added to this grouping: - Creation/request date - **Status** (as displayed in the CIPP UI) - Action Taken By (if it has been actioned) - TenantID (GUID) in addition to the Tenant name field Related but haven't opened a separate request for yet, would also love to be able to approve or deny the app from with in the CIPP UI rather than having to open the ConsentURL with permissions in the client tenant. Maybe this is not possible? Alternately, a way to copy the requested app to a new App Deployment standard to add consent with the requested permissions directly would be helpful. Can submit this request separately if it's even possible--just having more info in the webhook would make this more useful immediately. ### Benefits for MSPs Notifications or tickets we create from the app consent webhook notifications would be able to present a more holistic status of the request to MSP employees for evaluation and action, and including the status would allow for filtering to only alert on actionable (pending) notifications. ### Value or Importance The missing information is critical to being able to only alert on actionable app consent requests from the webhook call, since no status is included. The rest of the fields are less of a priority, but the Status field is reasonably critical for the specific use case. ### PowerShell Commands (Optional) _No response_

kerem 2026-03-02 13:49:14 +03:00

• closed this issue
• added the
  enhancement
  no-priority
  not-assigned
  labels

kerem commented 2026-03-02 13:49:15 +03:00

Author

Owner

Copy link

@Zacgoose commented on GitHub (Jul 29, 2025):

These alerts are generated only for "InProgress" requests, as such the status at the time of the alert will always be InProgress, there will be no action taken by as its not been completed.
Adding RequestDate and the status is easy (even though it'll always be InProgress)
TenantID should also be fine I guess

<!-- gh-comment-id:3130375852 --> @Zacgoose commented on GitHub (Jul 29, 2025): These alerts are generated only for "InProgress" requests, as such the status at the time of the alert will always be InProgress, there will be no action taken by as its not been completed. Adding RequestDate and the status is easy (even though it'll always be InProgress) TenantID should also be fine I guess

kerem commented 2026-03-02 13:49:15 +03:00

Author

Owner

Copy link

@dszp commented on GitHub (Jul 29, 2025):

These alerts are generated only for "InProgress" requests, as such the status at the time of the alert will always be InProgress, there will be no action taken by as its not been completed.
Adding RequestDate and the status is easy (even though it'll always be InProgress)
TenantID should also be fine I guess

Interesting--I guess that makes sense, but it's not stated anywhere and without a date stamp or documentation, I didn't find it to be clear. Thanks for the info! Having the status included would at least be more self-documenting.

Is it possible at all to approve via Graph as well, or should I not hold out hope/request that feature separately?

<!-- gh-comment-id:3130408544 --> @dszp commented on GitHub (Jul 29, 2025): > These alerts are generated only for "InProgress" requests, as such the status at the time of the alert will always be InProgress, there will be no action taken by as its not been completed. > Adding RequestDate and the status is easy (even though it'll always be InProgress) > TenantID should also be fine I guess Interesting--I guess that makes sense, but it's not stated anywhere and without a date stamp or documentation, I didn't find it to be clear. Thanks for the info! Having the status included would at least be more self-documenting. Is it possible at all to approve via Graph as well, or should I not hold out hope/request that feature separately?

kerem commented 2026-03-02 13:49:15 +03:00

Author

Owner

Copy link

@Zacgoose commented on GitHub (Jul 29, 2025):

According to the MS docs it is not possible to approve or deny apps programmatically

<!-- gh-comment-id:3130466691 --> @Zacgoose commented on GitHub (Jul 29, 2025): According to the MS docs it is not possible to approve or deny apps programmatically

kerem commented 2026-03-02 13:49:15 +03:00

Author

Owner

Copy link

@joelkino commented on GitHub (Jul 29, 2025):

I don't think it's currently possible to approve the request using gdap permissions unless the Application Administrator role is added to the Roles (Preview) section in the Admin Consent Approvers. But once added then it's possible - which would then allow techs to GDAP via CIPP to approve and not have to log in with GA. So that could be a nice standard

<!-- gh-comment-id:3132100508 --> @joelkino commented on GitHub (Jul 29, 2025): I don't think it's currently possible to approve the request using gdap permissions unless the Application Administrator role is added to the Roles (Preview) section in the Admin Consent Approvers. But once added then it's possible - which would then allow techs to GDAP via CIPP to approve and not have to log in with GA. So that could be a nice standard

kerem commented 2026-03-02 13:49:15 +03:00

Author

Owner

Copy link

@dszp commented on GitHub (Jul 29, 2025):

I don't think it's currently possible to approve the request using gdap permissions unless the Application Administrator role is added to the Roles (Preview) section in the Admin Consent Approvers. But once added then it's possible - which would then allow techs to GDAP via CIPP to approve and not have to log in with GA. So that could be a nice standard

That would be a welcome change if possible. I also realized this morning that it would be nice if the displayName of the tenant was included in the webhook (this would be for all webhooks, actually). It would reduce API calls to pull it in after the webhook and allow for matching to PSA client name, as we try to standardize on exactly the same display name in all of our systems so we can easily match for ticketing purposes.

Obviously we can just do an API request to match from the current tenant name (or ideally GUID as I noted) to grab this, as well, but it seems like including it wouldn't be hard?

<!-- gh-comment-id:3132989407 --> @dszp commented on GitHub (Jul 29, 2025): > I don't think it's currently possible to approve the request using gdap permissions unless the Application Administrator role is added to the Roles (Preview) section in the Admin Consent Approvers. But once added then it's possible - which would then allow techs to GDAP via CIPP to approve and not have to log in with GA. So that could be a nice standard That would be a welcome change if possible. I also realized this morning that it would be nice if the `displayName` of the tenant was included in the webhook (this would be for all webhooks, actually). It would reduce API calls to pull it in after the webhook and allow for matching to PSA client name, as we try to standardize on exactly the same display name in all of our systems so we can easily match for ticketing purposes. Obviously we can just do an API request to match from the current tenant name (or ideally GUID as I noted) to grab this, as well, but it seems like including it wouldn't be hard?

kerem commented 2026-03-02 13:49:15 +03:00

Author

Owner

Copy link

@dszp commented on GitHub (Jul 29, 2025):

Also, is there a globally unique ID for each alert that could be included? There appears to be one embedded in the ConsentURL, but I'm not sure if it's accessible outside of that. It would be helpful to deduplicate requests and ensure that once a ticket was created for a request, that it wasn't re-created if it hadn't yet been actioned, the next time the webhook fires. I am seeing repeated firing of the same pending requests via webhook repeated in my observations, so this does seem to be helpful to have if possible. I may be able to add the displayName and maybe this ID myself now that I know where it is in the code; I'll take a look a bit later...

<!-- gh-comment-id:3133335376 --> @dszp commented on GitHub (Jul 29, 2025): Also, is there a globally unique ID for each alert that could be included? There appears to be one embedded in the ConsentURL, but I'm not sure if it's accessible outside of that. It would be helpful to deduplicate requests and ensure that once a ticket was created for a request, that it wasn't re-created if it hadn't yet been actioned, the next time the webhook fires. I am seeing repeated firing of the same pending requests via webhook repeated in my observations, so this does seem to be helpful to have if possible. I may be able to add the displayName and maybe this ID myself now that I know where it is in the code; I'll take a look a bit later...

kerem commented 2026-03-02 13:49:15 +03:00

Author

Owner

Copy link

@Zacgoose commented on GitHub (Jul 29, 2025):

I already have a pending PR to add a couple of those extra details as mentioned. CIPP at this time does not track previous alerts, so on so forth. The ID you see in the consent url is the App Id and this is in the response data. Feel free to comment in the PR if there is something you would like to add :)

<!-- gh-comment-id:3133349464 --> @Zacgoose commented on GitHub (Jul 29, 2025): I already have a pending PR to add a couple of those extra details as mentioned. CIPP at this time does not track previous alerts, so on so forth. The ID you see in the consent url is the App Id and this is in the response data. Feel free to comment in the PR if there is something you would like to add :)

kerem commented 2026-03-02 13:49:16 +03:00

Author

Owner

Copy link

@dszp commented on GitHub (Jul 29, 2025):

I added a non-conflicting pull request that adds the "id" field of the consent request itself as well. I looked at your pull request @Zacgoose which helped me find the right file, thanks for the pointer! I definitely want what's in your pull request, just added an additional field. If I'd seen your note first I guess I could have added a comment instead...

I am torn a little about adding the client displayName as well; I didn't add it in my request. It does make for an extra API call when the webhook is received, but it saves a Graph request when the webhook is created, so maybe that's fine. Not everyone will use it the way I am, and the tenant ID will provide material for the name call reliably.

<!-- gh-comment-id:3133578320 --> @dszp commented on GitHub (Jul 29, 2025): I added a non-conflicting pull request that adds the "id" field of the consent request itself as well. I looked at your pull request @Zacgoose which helped me find the right file, thanks for the pointer! I definitely want what's in your pull request, just added an additional field. If I'd seen your note first I guess I could have added a comment instead... I am torn a little about adding the client `displayName` as well; I didn't add it in my request. It does make for an extra API call when the webhook is received, but it saves a Graph request when the webhook is created, so maybe that's fine. Not everyone will use it the way I am, and the tenant ID will provide material for the name call reliably.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs

dev

dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42

dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2

dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0

dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2

dependabot/npm_and_yarn/dev/recharts-3.8.1

dependabot/github_actions/dev/actions/setup-node-6.4.0

copilot/add-alert-for-report-only-ca

release/beta

release/nightly

docs-maintenance

v10.4.0

v10.3.0

v10.2.0

v10.1.0

v10.0.0

v8.8.0

v8.7.0

v8.6.0

v8.5.0

v8.4.0

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.5.0

v7.4.0

v7.3.0

v7.2.0

v7.1.0

v7.0.1

v6.4.0

v6.3.0

v6.2.0

v6.1.0

v6.0.0

v5.9.0

v5.8.5

v5.8.0

v5.7.0

v5.6.0

v5.5.0

v5.4.0

v5.3.0

v5.2.0

v5.1.0

v5.0.0

v4.9.0

v4.8.0

v4.7.0

v.4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.0

v3.7.0

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.0

v2.20.0

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.13.0

v2.12.0

v2.11.2

v2.1.11.0

v.2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.5

v2.5.0

v2.4.0

v.2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

2.0.0

v1.5.1

v1.5.0

v1.4.3

v1.4.2

v1.4.0

v1.3.0

v1.2.1

v1.2.0

1.1.0

release

Labels

Clear labels   

API

  

Feature

  

NotABug

  

NotABug

  

Planned

  

Sponsor Priority

  

Sponsor Priority

  

bug

  

documentation

  

duplicate

  

enhancement

  

needs more info

  

no-activity

  

no-priority

  

not-assigned

  

pull-request

Mirrored from GitHub Pull Request

  

react-conversion

  

react-conversion

  

roadmap

  

security

  

stale

  

unconfirmed-by-user

  

unconfirmed-by-user

  

wontfix

No labels

API

Feature

NotABug

NotABug

Planned

Sponsor Priority

Sponsor Priority

bug

documentation

duplicate

enhancement

needs more info

no-activity

no-priority

not-assigned

pull-request

react-conversion

react-conversion

roadmap

security

stale

unconfirmed-by-user

unconfirmed-by-user

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#2050

No description provided.