Admin consent request - best practice for service provider to prevent confused deputy

Question

We have an application that requires admin consent for some permissions in order to work. I read the admin consent endpoint documentation and as I understand, this has to be a manual process:

1. My customer goes to https://login.microsoftonline.com/common/adminconsent?client_id={my_app_id}&redirect_uri=${my_redirect_uri}
2. He logs in and accepts the consent (provided that he is an admin).
3. I get a response with admin_consent=true and tenant={his_tenant_id}
4. I add his_tenant_id to my system.

My 2 issues with this process are:

A. This can cause a confused deputy issue - the customer can change his_tenant_id in the response to whatever he wants. Is there a proper way to check if the user is actually part of the tenant during the amdin_consent process?

B. Even if consent was already given, it will ask him to consent every time he presses the link. Moreover, if he is not an admin, he will have to send some admin the link and after a consent is given, the admin will have to send him the response_url in order to add the tenant. Is there a way to check if consent is given, before sending him to the consent link?

• What is the best practice to properly let the customer configure his tenant-id and admin consent in my system, while preventing the confused deputy problem? I need to make sure that he is a user of the provided tenant and still provide him with a link for an admin to consent (my user might not be an admin himself).

Thanks!