cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User consent: Graph permissions

jocsch
Brass Contributor

‎Jul 21 2023 07:34 AM

‎Jul 21 2023 07:34 AM

User consent: Graph permissions

Our app needs graph permissions to work and they are configured in the API permissions of the App registration. They are all delegated permissions.

 

When a user now installs the app for the first time she is asked to grant some permissions. 
However these permissions do not include the graph permissions. 

 

Screenshot 2023-07-21 at 12.25.31.png

 

Upon the retrieval of a graph token, the call fails because of the missing scopes and the user needs to authorize again via the MSAl2Provide. This time the consent shown includes all configured graph scopes and afterwards everything works fine.

Screenshot 2023-07-21 at 15.00.14.png


But the flow is a bit strange for the users. Is there a way to include the graph permissions in the very first consent dialog when the app is installed? 

793 Views
0 Likes
4 Replies
Reply
4 Replies
ProSolutions

‎Jul 23 2023 12:27 PM

‎Jul 23 2023 12:27 PM

Re: User consent: Graph permissions

@jocschjocsch Yes, there is a way to include the Graph permissions in the very first consent dialog when the app is installed, and it can be achieved through the use of "admin consent" or "pre-consent" for the required permissions.

 

When an app requires permissions that are considered sensitive (like Graph permissions), it needs to obtain consent from either the individual user or an administrator. In your case, since the app requires Graph permissions, it's best to use "admin consent" to ensure a smoother experience for end-users during the installation process. Admin consent allows a tenant administrator to grant consent for all users in the organization, which means individual users won't be prompted to consent to the required permissions when they install the app. Instead, the app will have the necessary permissions right from the start.

 

To obtain admin consent for the required Graph permissions, follow these steps:

 

1. **Update App Registration:**
- Sign in to the Azure portal (https://portal.azure.com/) with an account that has Global Administrator or Application Administrator role.
- Go to the Azure Active Directory (Azure AD) blade and select "App registrations" (or "Enterprise applications" if the app is already registered).
- Select your app registration representing your app.

 

2. **Add Required Permissions:**
- In the app registration's overview page, navigate to "API permissions."
- Add the necessary Graph permissions by clicking on the "+ Add a permission" button.
- Select "Microsoft Graph" as the API and choose the required permissions from the list.

 

3. **Grant Admin Consent:**
- After adding the required permissions, click on the "Grant admin consent" button.
- A pop-up will appear asking for confirmation. Click "Yes" to grant admin consent.

Once admin consent is granted, the app will have the necessary Graph permissions for all users in the organization. New users who install the app won't need to go through the consent process again for these permissions.

 

Keep in mind that admin consent should be handled with caution, as it grants the requested permissions to all users in the organization without individual user consent. Only administrators should be able to perform admin consent for sensitive permissions.

 

Additionally, if your app requires certain permissions that can only be consented to by individual users (not admin consent eligible), then you'll have to ensure that the app workflow prompts users to grant those permissions during the first use. In such cases, it's essential to provide clear explanations to users about why those permissions are necessary for the app's functionality.

 

Have a wonderful day. 

0 Likes
Reply
Sayali-MSFT

‎Jul 24 2023 02:57 AM

‎Jul 24 2023 02:57 AM

Re: User consent: Graph permissions

@jocsch- Could you please confirm if your issue has resolved with above suggestion or still looking for any help?
0 Likes
Reply
jocsch

‎Jul 24 2023 12:57 PM - edited ‎Jul 24 2023 02:31 PM

‎Jul 24 2023 12:57 PM - edited ‎Jul 24 2023 02:31 PM

Re: User consent: Graph permissions

@ProSolutions 

Thanks for your reply.

 

I just tried it and added an admin consented scope to the API permissions.
It looks like the user can still install the app (I currently do not see the basic consent dialog but I suppose that is because of some caching issues). 
But as soon as I request the additional graph scopes, the user can't consent any longer as there is an admin consented scope involved.

But still that doesn't seem to be in that very first consent dialog but again a second step that comes during usage of the step.

0 Likes
Reply
jocsch

‎Jul 24 2023 11:59 PM

‎Jul 24 2023 11:59 PM

Re: User consent: Graph permissions

Ok, after caches cleared I can confirm that it is still a two step process even with admin consent involved. I get the first dialog asking only for the "teams" permissions and and need the second consent for the additional graph permission. If admin consented are involved, the user can not consent the second dialog but has to wait for admin approval.
But still two dialogs where I would like to have just one for the user.
0 Likes
Reply