question

WMioConnectors-6974 avatar image
0 Votes"
WMioConnectors-6974 asked ·

Does microsoft graph scope require admin consent for delegated permissions

I created OAuth app and selected delegated permissions of Microsoft graph which doesn't have admin consent required. But when i try to authorize with some other tenant user, it is prompting message as "Your needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it". How can i overcome without going to admin as I not selected admin consent required scope

azure-ad-graph
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@WMioConnectors-6974, The following Admin consent page is coming up because of the following option set to "No" [Please refer to the screenshot]
5651-entapp.png



If this option is set to "No" normal users wont be able to provide user consent. If you want to go ahead with this option set to "No" and still want to Multitenant App to work, the only other option is to use the "Admin Consent Requests (Preview)" and set that to "Yes". Doing this, the normal user while accessing the app and entering the username and password, he/she would get the consent page and would ask the user to provide a justification for the Admin to approve. Once the admin approves it, the user would be able to access the app, and in the backend the app's service principal would get added to the user's tenant.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.






entapp.png (5.7 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@WMioConnectors-6974, The error that you received, I believe this coming for the first time, when you access this app from some other tenant. If yes, this is expected as the other tenant still doesnt have the service principal for this app present in that other tenant and that other tenant is throwing the consent page and asking for consent so that the service principal for this multitenant app can get created in that other tenant. You can read more on the consent behavior for a multitenant app here.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.



· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WMioConnectors-6974 avatar image
0 Votes"
WMioConnectors-6974 answered ·

@soumi-MSFT . Thanks for your reply. So as you said that in other tenants a service principal is to be created. So my new question is, can this be done by normal users (who want to authorize) instead of going to admin. For the same resource(graph.microsoft.com), it is allowing in Microsoft flow without any admin interruption. So as I don't have much idea about how to create service principal, can you guide me if it is possible with normal end-user or OAuth app owner to create a service principal in user tenant without any interruption of admin

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@WMioConnectors-6974, Yes a normal user can also go ahead and provide the consent. But the point is this consent would only be for that particular user, when another user from that same tenant tries to access this Multitenant app again, that user would get its own consent page to provide the consent.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

0 Votes 0 · ·
WMioConnectors-6974 avatar image
0 Votes"
WMioConnectors-6974 answered ·

Yep, it is fine, if the user can consent up to his account. So can you let me know how to approved consent to that user? Because I am unable to find any way to grant consent up to that user, it is just showing admin to grant consent

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@WMioConnectors-6974, For a multi-tenant application, the initial registration for the application lives in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue. A delegation is also created in the directory that records the user’s consent to the application.

This consent experience is affected by the permissions requested by the application. Microsoft identity platform supports two kinds of permissions, app-only and delegated.

  • A delegated permission grants an application the ability to act as a signed in user for a subset of the things the user can do. For example, you can grant an application the delegated permission to read the signed in user’s calendar.

  • An app-only permission is granted directly to the identity of the application. For example, you can grant an application the app-only permission to read the list of users in a tenant, regardless of who is signed in to the application.

Some permissions can be consented to by a regular user, while others require a tenant administrator’s consent. hence it is necessary for us to understand what type of permissions are being requested by the application.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WMioConnectors-6974 avatar image
0 Votes"
WMioConnectors-6974 answered ·

@soumi-MSFT I am trying some alternate permissions which are useful to create SharePoint subscriptions and file/folder related operations. I am selecting only delegated permissions in which user consent is not required, But still, I am getting the admin consent required screen. I attached a screenshot of the screen which I am getting. Right now I selected only one delegated permission, but still getting the same issue. One thing here is I am getting this issue for the user who has an account with personal domain, not onmicrosoft.com domain

4381-azureportalpermissions.png


4352-consent-screen.pngpng




· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WMioConnectors-6974 avatar image
0 Votes"
WMioConnectors-6974 answered ·

any update here @soumi-MSFT

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@WMioConnectors-6974,I apologize for the delay in my response. I somehow missed this last updated from your end.

Can you let me know what kind of user is this, I mean is this a guest user in the tenant that has the application registered in it?
Also would like to know, in which tenant this application registration is done.
In which tenant the user belongs to.

Also, it looks like would need to take a look at the setup once to understand how this is setup. It would be great if we can setup a call so that we can have a screenshare and help you to check on those points.

Do let me know your details mentioned below by sending them to azcommunity'at'microsoft'dot'com:

  • Your email ID:

  • Your Tenant name/Tenant ID:

  • Your Subscription Details

  • Application Name/Application ID:

  • Preferred time to setup the call along with the timezone.

Do share the following details so that we can setup the call quickly and help you fix the issue sooner.



0 Votes 0 · ·
WMioConnectors-6974 avatar image
0 Votes"
WMioConnectors-6974 answered ·

Thanks @soumi-MSFT.
I Tried end-user with site admin and also with normal company user(not guest user). We have SSO login for this

Application developer by user is wmioconnectors@ipaasaccounts.onmicrosoft.com(ipassaccounts tenant)

I Will let you know via email for call timings. I am from IST and looking for a call either on Monday or Tuesday of next week. Can you let me know which time zone you are belonging to? so that we can have a call which suitable for both

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@WMioConnectors-6974, I am also in the IST timezone. Hence it would be great if you can share the suitable time for me to send you the Teams meeting invite for today, if possible. I would be available from 12:30 onwards to set up the call.

0 Votes 0 · ·
WMioConnectors-6974 avatar image
0 Votes"
WMioConnectors-6974 answered ·

@soumi-MSFT I setup a call at 16:00IST today. I also send the mail . let me know if you want to change the time

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WMioConnectors-6974 avatar image
0 Votes"
WMioConnectors-6974 answered ·

@soumi-MSFT . This is a helpful one and able to find the way how to create the multi-tenant app and how to control permissions via admin. Thanks :)

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.