Microsoft Graph: Selective consent to application-level permissions - scope

So i have an AAD app that requests a number of permissions. I have delegate permissions and application permission.
I want all my customer to use the same app but then admins should be able decide which permissions they would prefer to allow.
So for instance I have Calendar.Read and Calendar.ReadWrite application-permission requests on my app. Some admins will only like to consent to Calendar.Read.
Is this even possible? As per this documentation
I tried having the customer admin consent to only Calendar.Read using
// Line breaks are for legibility only.
GET https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope= https://graph.microsoft.com/calendars.read
I can see in the customers enterprise applications that that Calendar.Read is permitted under Admin consent tab. Unfortunately its registered of type Delegate. I need the permission to be of type Application. How do I do this?
As expected when i try to get client credentials token, the token has no permissions so i cannot use the token to make any calls. What am i missing here?

There are settings which admins can choose for enabling the admin consent workflow and choose reviewers:
Admin Consent
Please refer this DOC
For configuring the user content please refer this DOC

Related

Why does my request to consent admin permissions ask all permissions?

I am going to consent only specific admin permissions in graph api.
But it requests all tenant permissions.
Current logic is
Get delegated token by authorization.
https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize?client_id={CLIENT_ID}&response_type=token&redirect_uri={LOGIN_REDIRECT_URI}&response_mode=form_post&scope=offline_access https://graph.microsoft.com/.default
Prompt admin consent
https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id={CLIENT_ID}&redirect_uri=http://localhost/team-members/getAppToken&scope=https://graph.microsoft.com/calendars.readwrite
Get application token
https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token?scope=https://graph.microsoft.com/calendars.readwrite
In this logic, admin consent is always asked all permissions in 2), but I want to ask only the permission Calendars.ReadWrite.
How to ask to consent for a specific permissions?
This is related to your permission type. If your permission is a delegated permission, you can dynamically agree to a specific delegated permission on the administrator consent page: scope=https://graph.microsoft.com/calendars.readwrite.
If your permissions are application permissions, you can only request the static /.default scope, which will require the administrator to consent to all permissions in the tenant: scope=https://graph.microsoft.com/.default.
See the document, there are detailed instructions:
At this point, Azure AD requires a tenant administrator to sign in to
complete the request. The administrator is asked to approve all the
permissions that you have requested in the scope parameter. If you've
used a static (/.default) value, it will function like the v1.0 admin
consent endpoint and request consent for all scopes found in the
required permissions (both user and app). In order to request app
permissions, you must use the /.default value. If you don't want
admins to see a given permission in the admin consent screen all the
time when you use /.default, the best practice is to not put the
permission in the required permissions section. Instead you can use
dynamic consent to add the permissions you want to be in the consent
screen at run time, rather than using /.default.
If you login to Azure portal and find your application
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
Click on API Permissions tab
You will see all configured permissions for Microsoft Graph API.
Ensure that there is only Calendars.ReadWrite by removing all redundant permissions.

Why the user needs to request admin approval in Azure Single Sign On after he is added to users list?

I created an SSO application in the azure portal. As a global administrator I signed to my application with sso and I'm able to fetch the access token and graph details.
In our organization we need to allow few users to use this application. So I added their emails to the 'Users and Groups' in Azure portal. So When the users signed in,they allowed the consent permissions and then the below window appears. May I know the reason?
Is this normal or any kind of bug from side?
Is this window appear everytime once the user got approval ?
Please help me to solve this as I am going through a tough time.
It is not a bug and it is Admin Consent. You as a global
Administrator need to approve the concern from azure AD.
This window will appear only once and it will not appear once user log-in after consent next time.
Please go through Ms Document which has information of configuring Admin Consent.
It seems you are trying to use application permissions, since both shown permissions do not require admin consent for delegated permissions scenarios.
You can read about permission types at https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types
If you want to review the configuration of your application you can turn to Azure AD. On page https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/YOURAPPID/isMSAApp/ (replace YOURAPPID with your app id) you should see something similar to this:
If you at (1) have any of type "Application", these will require admin consent.
Regardless of whether you have any of such, you (required admin privileges) can grant application consent for the tenant using the button at (2).

Register app in Azure AD to access CDS Web API

I'm trying to figure out how to integrate an external app with Microsoft CDS Web API. The first step would be to try the Wep API with Postman. Following this document I could authenticate and make requests to the API using the client id provided in the document. However, when I try to register my own app in my AAD, I can't get the access token in Postman without having first to request the admin for consent.
I followed the instructions in this document to register the app, plus I allowed implicit flow. A did this in a trial account, where I'm the admin and then I tried retrieving the token with an user of another tenant (where I'm not an admin) it tells me to ask the tenant for consent.
Do you know how to register the app without non-admin users having to request admin consent?
Edit:
The registrated app has the following permissions, where none of them require admin consent:
Screenshot of the selected permission
The tenant which the non admin-users belong to has the following configuration for users being able to consent access:
Screenshot of user settings
Anyway, I assume these last settings would not be the problem because when requesting the token with the client id provided by Microsoft in the example of the first link, I do not require the consent from the admin.
Just for the sake of clarity, this is the step that I would like to remove from the authorization process:
Screenshot of the consent request screen
First of all you need to know that not all permissions require admin consent.
Dynamics CRM user_impersonation permission doesn't require admin consent.
But you need to make sure all the permissions added into your registered app don't require admin consent. As long as any permission requires admin consent, then admin consent cannot be bypassed.
Besides, make sure this configuration has been abled in the tenant(which the non-admin users are from).
UPDATE:
You are correct. After testing, I found that this permission does require admin consent. I believe this is an error in the documentation. It seems that the conclusion is that we cannot bypass admin consent.

Is Azure's User.Read permission required for OAuth consent forms?

My multi-tenant Azure application requires only the app-level EWS legacy permission full_access_as_app to run. This app-level permission can only be consented to by an administrator---it's extremely powerful because it gives the app read and write permissions over every EWS mailbox in a tenancy.
If I, as an admin for my Azure tenancy, grant my application only this single permission behind the scenes in AAD configuration, everything works fine when I run the application for my tenancy.
However when you create a new app in Azure, Azure always assumes you will want the user-level Graph API User.Read permission automatically. When you try to remove the permission you get this ominous warning:
And in the case when I leave it out, interactive OAuth consent forms don't work. The error message looks like this.
The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant.
In other words, it appears that the application won't be able to run for anyone else's tenancy because their admins can't consent to it.
My hypothesis is that this is because Azure is using the User.Read permission to check whether the person signing in through the OAuth form is an administrator. In other words this permission is needed just this one time, before the application is ever run for the admin's tenancy.
Looking at the actual OAuth consent form, this does appear to be the case.The app wants to sign in and read my profile, to check if I am admin... or so it seems to me.
Am I right about this? Documentation I have been able to find is rather scanty.

Why admin grant is required if my app is only requesting User.Read permission?

As you see my new registered app registration it's an app that only requires users to login.
Anything beyond the minimal requirements to work. I don't configured it to request any special sort of permission
When i Try lo login this message appears
"Application needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it"
Why? The permissions the app is requesting are just basic ones . I don't understand why an admin consent is required.
Many thanks
There are two possible reasons why users can't consent to User.Read:
User consent is disabled or restricted. Each customer can choose to disable or limit user consent to applications. In a tenant where user consent is disabled, for example, users can't consent to any permission.
Azure AD > Enterprise apps > User settings > Users can consent to apps...
The app requires assignment. When an application is configured to require assignment for users to be able to sign in, users are not allowed to consent to that application.
Azure AD > Enterprise apps > (select app) > Properties > User assignment required?
Most possible reasons for any administrator consented issue,
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message is displayed saying the user isn’t able to consent.
Certain delegated permissions also require a tenant administrator’s consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administrator’s consent.
Possible Solutions,
The prompt=admin_consent parameter(which request permissions from admin) can be used as a parameter in the OAuth2/OpenID Connect authorization request to grant the admin consent .
Enable the admin consent workflow , which gives end users a way to request access to applications that require admin consent.
Refer the permissions documentation for the Microsoft Graph API indicate which permissions require admin consent.
Please refer admin consent endpoint for more details.

Resources