Does microsoft graph scope require admin consent for delegated permissions

WMio Connectors 121 Reputation points
2020-03-11T09:19:44.903+00:00

I created OAuth app and selected delegated permissions of Microsoft graph which doesn't have admin consent required. But when i try to authorize with some other tenant user, it is prompting message as "Your needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it". How can i overcome without going to admin as I not selected admin consent required scope

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,571 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-03-24T10:40:43.16+00:00

    @WMio Connectors , The following Admin consent page is coming up because of the following option set to "No" [Please refer to the screenshot]
    5651-entapp.png

    If this option is set to "No" normal users wont be able to provide user consent. If you want to go ahead with this option set to "No" and still want to Multitenant App to work, the only other option is to use the "Admin Consent Requests (Preview)" and set that to "Yes". Doing this, the normal user while accessing the app and entering the username and password, he/she would get the consent page and would ask the user to provide a justification for the Admin to approve. Once the admin approves it, the user would be able to access the app, and in the backend the app's service principal would get added to the user's tenant.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments

16 additional answers

Sort by: Newest
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-11-05T06:43:08.413+00:00
    0 comments
  2. Calcul8or 6 Reputation points
    2020-11-05T04:13:54.007+00:00

    I'm having exactly the same issue, and have followed all recommendations made in this thread so far. Is there any formal solution to this problem?

    0 comments
  3. Gregor Vilkner 1 Reputation point
    2020-06-11T15:20:14.8+00:00

    This Risk-based Step-up consent is very confusing. And from what I can see the error message does not disclose if this is the reason that the admin consent was required in the first place.

    I can't run to an admin to get approval for every app I work on (Not even to get approval when I'm done - but before I even start working on it) - stuff that worked a few months ago, with very minor delegated permissions, i.e. the user consenting to access resources he/she has access to anyways.

    Cheers, and kind regars,
    Gregor

    0 comments
  4. Christian Zerbes 1 Reputation point
    2020-05-22T15:56:38.383+00:00

    I would like to pick up on this topic. Is there a way to validate or verifay an app, so that it meets Microsofts concent crieterias?

    I am working on an app, that has to read and write calendar entries. Right now, when I want to grant access to the app from my work account, I get the mentioned error, that an admin has to give permissions. Now I fear, that neither me, nor a lot of potential customers of my app will be able to get the permissions from their admin.

    So I would appreciate, if you could tell me, if there is a solution for this.

    Thanks.

    0 comments