question

hellogr-8912 avatar image
0 Votes"
hellogr-8912 asked azure-cxp-api edited

Application using Read vs ReadWrite Oauth application Scopes, why does ReadWrite require admin approval and Read Doesnt?

My 3rd party Application (I am an ISV) using Read vs ReadWrite Scopes (delegate), why does ReadWrite require admin approval and Read Doesnt?

My application uses Oauth to authenticate and grant Microsoft Calendar permissions to my application to both consumer and enterprise users/tenants.

When I use the Calendars.ReadWrite, consumer users are automatically prompted to grant access (user consent), but enterprise users are shown "Need Admin Approval" when trying to connect. Similar to this: https://i.stack.imgur.com/FZbrH.png

When I only use "Calendars.Read" scope permissions on the app both consumer and enterprise users are prompted to grant access (the desired state).

I realize Read vs ReadWrite are different permissions, where in the documentation does it say that ReadWrite requires Admins to "approve" the app vs Read only does not require such approvals?

According to this no admin consent required?
https://www.screencast.com/t/okUuEzJD

Please advise. Thanks you.

azure-ad-connect
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

bump. any additional comments from anyone on this?

0 Votes 0 ·
ryanchill avatar image
0 Votes"
ryanchill answered hellogr-8912 commented

You have allow user consent for enterprise applications under your tenant. You'll get the Admin Approval message when it's set to 'No'.

7897-2020-05-01-00-47-41-clipboard.png



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes understood. However this is already set to YES for this particular tenant.


And as I mentioned Calendars.Read goes through with user consent. But Calendars.ReadWrite doesnt and gets blocked and needs admin approval.


I dont see anything in the settings about Read vs ReadWrite? If there isnt such a setting around read vs readwrite, then "YES" (above) should allow most all scopes right?


In this article I see a note about


> When a risky consent request is detected, the consent prompt will display a message indicating that admin approval is needed.


How is this defined? Simply going from Calendars.Read to Calendars.ReadWrite makes it risky? or?


0 Votes 0 ·
AnujRana-1707 avatar image
0 Votes"
AnujRana-1707 answered

Hi,

I am curious about following statement : When I use the Calendars.ReadWrite, consumer users are automatically prompted to grant access (user consent), but enterprise users are shown "Need Admin Approval" when trying to connect.

Do you mean B2B (GUEST ) users are able to provide consent for Calendars.ReadWrite while member users of that AAD requires admin consent ? If this is true, did you review the recent preview for consent and permissions ? You can now control which permissions can be forced for admin consent while allowing low impact permissions with user consent.

8704-permissions.png



Let me know if this helps !


permissions.png (51.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.