Microsoft Graph API Permissions for non-admins?

%3CLINGO-SUB%20id%3D%22lingo-sub-15849%22%20slang%3D%22en-US%22%3EMicrosoft%20Graph%20API%20Permissions%20for%20non-admins%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15849%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20create%20a%20dropdown%20with%20all%20the%20users%20in%20my%20Office365%20tenant.%20I%20created%20an%20app%20in%20Azure%20AD%20and%20gave%20it%20all%20the%20necessary%20permissions.%20I%20gave%20it%20all%20the%20permissions%20for%20Microsoft%20Graph%20actually%2C%20app%20and%20delegated.%20All%20of%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20I%20wrote%20up%20my%20script%20to%20query%20all%20users%20with%20%60%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fusers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fusers%3C%2FA%3E%60.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20my%20tenant%20admin%20go%20in%20and%20accept%20the%20permissions%20then%20output%20the%20list%20of%20users%20in%20the%20UI.%20Works%20fine%20for%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20an%20admin%20but%20when%20I%20go%20to%20the%20page%26nbsp%3BI%20get%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20application%20requires%20application%20permissions%20to%20another%20application.%20Consent%20for%20application%20permissions%20can%20only%20be%20performed%20by%20an%20administrator.%20Sign%20out%20and%20sign%20in%20as%20an%20administrator%20or%20contact%20one%20of%20your%20organization's%20administrators.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20know%20if%20this%20will%20work%20for%20users%20with%20even%20lower%20permissions.%20From%20what%20I%20understand%20the%20API%20request%20and%20the%20App%20is%20running%20under%20the%20permissions%20given%20to%20the%20application%20in%20Azure.%20So%20even%20if%20the%20user%20as%20Read%20Only%2C%20the%20request%20isn't%20running%20under%20the%20user%2C%20it's%20running%20under%20the%20Application%20I%20set%20up.%20So%20why%20would%20I%20get%20the%20error%20regarding%20permissions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-15849%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPIs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPnP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-16163%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Graph%20API%20Permissions%20for%20non-admins%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-16163%22%20slang%3D%22en-US%22%3E%3CP%3EOkay%20what%20I%20did%20was%20reduce%20that%20Apps%20permissions%20to%20only%20items%20at%20did%20not%20require%20Admin%20access.%20It%20seems%20to%20be%20working%20but%20I'm%20pretty%20disappointed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20that%20if%20I%20gave%20the%20App%20a%20certain%20permissions%2C%20the%20API%20would%20use%20the%20App%20context%20to%20make%20the%20request%20instead%20of%20the%20User%20context.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-15951%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Graph%20API%20Permissions%20for%20non-admins%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15951%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kessy%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Enormally%20it%20runs%20under%20the%20credentials%20you%20are%20logged%20in%20with%20at%20least%20the%20calls%20in%20SharePoint.%20Offcourse%20your%20app%20in%20Azure%20needs%20the%20correct%20base%20permissions%20which%20your%20admin%20need%20to%20set.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20am%20guessing%20it%20could%20be%20a%20wrong%20permission%20on%20the%20manifest%20in%20your%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I am trying to create a dropdown with all the users in my Office365 tenant. I created an app in Azure AD and gave it all the necessary permissions. I gave it all the permissions for Microsoft Graph actually, app and delegated. All of them.

 

Then I wrote up my script to query all users with `https://graph.microsoft.com/v1.0/users`.

 

I had my tenant admin go in and accept the permissions then output the list of users in the UI. Works fine for them.

 

I'm not an admin but when I go to the page I get the following error:

 

This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

 

 

I need to know if this will work for users with even lower permissions. From what I understand the API request and the App is running under the permissions given to the application in Azure. So even if the user as Read Only, the request isn't running under the user, it's running under the Application I set up. So why would I get the error regarding permissions?

 

2 Replies
Highlighted

Hi Kessy,

 

normally it runs under the credentials you are logged in with at least the calls in SharePoint. Offcourse your app in Azure needs the correct base permissions which your admin need to set.

 

i am guessing it could be a wrong permission on the manifest in your app.

Highlighted

Okay what I did was reduce that Apps permissions to only items at did not require Admin access. It seems to be working but I'm pretty disappointed.

 

I thought that if I gave the App a certain permissions, the API would use the App context to make the request instead of the User context.