By now, everybody should have heard about GDPR. While not being a lawyer, I think I can summarize it this way: any identifiable personal information as well as sensitive personal information is subject to GDPR regulation. This first and foremost implies informing the user about which usage is done with his personal data.
The major asset to comply with GDPR is the consent. By letting users consent about what is done with their personal information, you should be on the safe path. However, GPDR comes with strong requirements such as: every distinctive usage should come with its own consent and could be revoked at any time by the end user, which means that you cannot simply bundle everything in one basket and ask the user to consent to the whole thing, even if doing this, is already better than nothing.
So, what about using Azure Active Directory’s consent to comply with GDPR? Is it feasible, is it not? Well, first of all, AAD’s consent is traditionally used to grant an app, the permission to act against a resource on your behalf. If your app is talking to a custom API and sends personal data to it, it’s perfectly feasible to use the API’s consent to warn the user about what is being used with his personal information. You can indeed include a dedicated GDPR oauth2Permission per usage as shown by the below screenshots:
Figure 1: oauth2 permissions in the API manifest
Figure 2: user consent prompt
However, there are a few limitations:
- Azure Active Directory shows the consent prompt for all the resources (and usages) at once. It’s therefore a all or nothing consent.
- If you perform an Admin Consent which is sometimes required by some resources, your API will automatically be consented except if you first make the admin consent and then configure your client app to request access to your dedicated personal information consent prompts.
- Revoking the app permissions is perfectly feasible using the portal https://account.activedirectory.windowsazure.com/applications but this will revoke the app entirely.
Bottom line: Azure Active Directory is perfectly usable to handle GDPR requirements but you don’t have the granularity of consenting/revoking usages independently. However, from an information perspective, you can clearly distinguish the different usages. For a simple scenario where a client app talks to a single API with a single personal data usage, you should in theory, be able to be entirely compliant with GDPR.
Note: I’m only covering the consent story, I’m not talking about how long the data may be kept, the right to be forgotten, etc. which are also part of GDPR.