Accessing resources on behalf of a user

%3CLINGO-SUB%20id%3D%22lingo-sub-2266833%22%20slang%3D%22en-US%22%3EAccessing%20resources%20on%20behalf%20of%20a%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2266833%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20recently%2C%20Resource%20Specific%20Consent%20was%20allowed%20to%20be%20granted%20for%20Teams%20applications%20to%20access%20resources%20on%20behalf%20of%20a%20team.%20The%20default%20setting%20within%20the%20Azure%20portal%20was%20to%20allow%20Team%20owners%20to%20grant%20these%20permissions.%20This%20means%20that%20by%20default%20no%20Azure%20Admin%20Consent%20was%20required%20for%20resources%20that%20were%20accessed%20by%20that%20team%20only%20(where%20teams%20could%20be%20public%20but%20permissions%20had%20to%20be%20granted%20for%20each%20team%20separately).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnalogously%2C%20we%20were%20wondering%20if%20User%20Specific%20Consent%20could%20be%20granted%20only%20to%20resources%20that%20were%20accessed%20by%20the%20user.%20This%20would%20mean%20that%20Team%20resources%20would%20not%20have%20to%20be%20unnecessarily%20granted%20access%20to%20and%20would%20further%20modularize%20permissions.%20This%20would%20also%20enable%20a%20lot%20of%20work%20that%20could%20be%20done%20on%20behalf%20of%20the%20user.%20Most%20of%20the%20delegated%20permissions%20that%20we%20see%20in%20the%20Microsoft%20Graph%20API%20for%20Teams%20resources%20by%20default%20require%20Admin%20Consent%20for%20apps%20that%20use%20User-delegated%20permissions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20order%20to%20boost%20user%20productivity%2C%20we%20believe%20users%20should%20be%20able%20to%20manage%20their%20work%20in%20interesting%20ways%20without%20having%20to%20hunt%20down%20their%20IT%20admin.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20User%20Specific%20Consent%20%2F%20User%20delegation%20--%20without%20Azure%20Admin%20Consent%20--%20already%20in%20place%3F%20Is%20there%20a%20viable%20alternative%2C%20if%20not%3F%20Are%20there%20plans%20on%20the%20roadmap%20to%20enable%20this%20down%20the%20line%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20very%20useful%20resource%20for%20us%20are%20the%20messages%20shared%20within%20channels%2C%20groups%2C%20DMs%20where%20a%20user%20is%20already%20present.%20So%20workarounds%20specific%20to%20messages%20would%20interest%20us.%20However%2C%20the%20general%20situation%20for%20any%20user-accessed%20resource%20is%20what%20we'd%20like%20to%20understand.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2266833%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EChat%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EResource%20Specific%20Consent%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

So recently, Resource Specific Consent was allowed to be granted for Teams applications to access resources on behalf of a team. The default setting within the Azure portal was to allow Team owners to grant these permissions. This means that by default no Azure Admin Consent was required for resources that were accessed by that team only (where teams could be public but permissions had to be granted for each team separately).

 

Analogously, we were wondering if User Specific Consent could be granted only to resources that were accessed by the user. This would mean that Team resources would not have to be unnecessarily granted access to and would further modularize permissions. This would also enable a lot of work that could be done on behalf of the user. Most of the delegated permissions that we see in the Microsoft Graph API for Teams resources by default require Admin Consent for apps that use User-delegated permissions.

 

In order to boost user productivity, we believe users should be able to manage their work in interesting ways without having to hunt down their IT admin.

 

Is this User Specific Consent / User delegation -- without Azure Admin Consent -- already in place? Is there a viable alternative, if not? Are there plans on the roadmap to enable this down the line?

 

A very useful resource for us are the messages shared within channels, groups, DMs where a user is already present. So workarounds specific to messages would interest us. However, the general situation for any user-accessed resource is what we'd like to understand.

1 Reply

@JT_ALPL , To access resources you need Admin Consent it is by design.