Does microsoft graph scope require admin consent for delegated permissions

Question

I created OAuth app and selected delegated permissions of Microsoft graph which doesn't have admin consent required. But when i try to authorize with some other tenant user, it is prompting message as "Your needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it". How can i overcome without going to admin as I not selected admin consent required scope

Answer 1

@WMio Connectors , The following Admin consent page is coming up because of the following option set to "No" [Please refer to the screenshot]

If this option is set to "No" normal users wont be able to provide user consent. If you want to go ahead with this option set to "No" and still want to Multitenant App to work, the only other option is to use the "Admin Consent Requests (Preview)" and set that to "Yes". Doing this, the normal user while accessing the app and entering the username and password, he/she would get the consent page and would ask the user to provide a justification for the Admin to approve. Once the admin approves it, the user would be able to access the app, and in the backend the app's service principal would get added to the user's tenant.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 2

@WMio Connectors , The error that you received, I believe this coming for the first time, when you access this app from some other tenant. If yes, this is expected as the other tenant still doesnt have the service principal for this app present in that other tenant and that other tenant is throwing the consent page and asking for consent so that the service principal for this multitenant app can get created in that other tenant. You can read more on the consent behavior for a multitenant app here.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

Answer 3

@soumi-MSFT . Thanks for your reply. So as you said that in other tenants a service principal is to be created. So my new question is, can this be done by normal users (who want to authorize) instead of going to admin. For the same resource(graph.microsoft.com), it is allowing in Microsoft flow without any admin interruption. So as I don't have much idea about how to create service principal, can you guide me if it is possible with normal end-user or OAuth app owner to create a service principal in user tenant without any interruption of admin

Answer 4

Yep, it is fine, if the user can consent up to his account. So can you let me know how to approved consent to that user? Because I am unable to find any way to grant consent up to that user, it is just showing admin to grant consent

Answer 5

@WMio Connectors , For a multi-tenant application, the initial registration for the application lives in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue. A delegation is also created in the directory that records the user’s consent to the application.

This consent experience is affected by the permissions requested by the application. Microsoft identity platform supports two kinds of permissions, app-only and delegated.

• A delegated permission grants an application the ability to act as a signed in user for a subset of the things the user can do. For example, you can grant an application the delegated permission to read the signed in user’s calendar.
• An app-only permission is granted directly to the identity of the application. For example, you can grant an application the app-only permission to read the list of users in a tenant, regardless of who is signed in to the application.

Some permissions can be consented to by a regular user, while others require a tenant administrator’s consent. hence it is necessary for us to understand what type of permissions are being requested by the application.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.