Setting up an AAD SSO solution with notification subscriptions

Copper Contributor

I've been looking into MS Graph for the last week or so, as we have clients interested in their users on our web application also be controlled through their AAD.


The requirements are quite simple:
- Users from specific tenants be able to login/create account using their Microsoft account. Not all our clients have access to this integration, so we use the tenant id to verify the users come from an acceptable source.

- Their account should get soft deleted and deleted on our application when their deletion status is changed in AAD

- Their role should change on our application, when their role for our application is changed in their AAD


For this I will need the following data from AAD on the user:
- Name

- Email

- Tenant id

- Role for our application


As of now I've created an application under "App Registration" with a working redirect URL. Now I'm a bit uncertain what solution to setup:


All user handled (Use Graph API as user):
1. User logs in to our application using a "Microsoft Login" button

2. They're redirected to my redirect URL and created/logged in if we have their tenant id accepted

3. We create a subscription on the user, so we get notified when they change

4. When notified we call information on the user and update accordingly


The problem I'm facing with this method, is getting user information when a webhook triggers. I tried using{tenant}/oauth2/v2.0/token, but it seems like it wants a code I can't seem to locate in the flow so far.


Admin approval (Use Graph API as admin):

1. An admin from the client receives a consent URL, which gives the application access to User.Read.All, so we can call info on their users at any time.

2. Login flow will be the same for the user, except we can call the Graph API as an application when a webhook triggers.


Trouble I'm having with this solution is the admin consent flow, I keep running into errors such as this:
AADSTS650053: The application 'XXX' asked for scope '"User.Read.All"' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.


Having all these options, I decided to make a post here to get some direction in case I'm completely off track and missing something obvious. I believe the second approach will create overall simpler implementation, but the first approach is more strict and only gives my application access to the users actually affiliated with my application.


Do any Graph guru's have suggestions on how to solve this kind of setup?


0 Replies