I have an application that uses Azure AD to access Microsoft Graph without Admin Consent.
I would like to introduce the Office 365 Groups capabilities into my app to manage the visibility of my application objects. Basically, I need two things using delegated scopes without Admin Consent:
- The user must be able to see basic information for groups in the tenant
- Check whether or not the current user belongs to a given group
I see two approaches:
Wait for
Groups.ReadBasic.AllIndeed,
Groups.Read.Alldoes require Admin Consent so it is not possible to use it right now in our scenario. My question is then, is such a scope is planned for Microsoft Graph?Limit the Group management feature to Admin only.
I could limit the Group management capabilities to Administrators or wait for Admin Consent but the rest of the application must be still available for non-Admin Consent workflows. Is there a way to achieve this?
The only way I see this is to have two distinct applications registered in Azure AD:
myAppandmyApp - Extended Permissions. However, I do not believe this is the right way to go to have two Azure AD apps for the same logical app.
