Microsoft Graph API Work Accounts authorize with Note.Read scope need admin approval

2
votes

I am trying to use Microsoft Graph API V2.0 to access user's OneNote Notebooks.

I am trying to authorize via OAuth using the follow link sample:

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
    response_type=code
    &client_id={id}
    &redirect_uri={url}
    &scope=Notes.Read%20offline_access
    &state={state}

When I login with a work account I get a message saying that:

{app_name} needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

And:

Message: AADSTS90094: The grant requires admin permission.

Using an admin account I have no problems.

From Notes permissions, none of Note scopes (i.e. Notes.Read, Notes.ReadWrite, Notes.Create or Notes.ReadWriteAll) require Admin Consent.

Is there any reason for this to request admin permissions?

2
azure-active-directorymicrosoft-graph-apionenote
Can you add the manifest for your app's registration (you can get this from either the Azure Portal or apps.dev.microsoft.com, depending on where you registered)? - Marc LaFleur
which part in particular do you need? I can authorize using Files Permissions for example - Rui Rodrigues
The manifest is a JSON representation of your app's registration (i.e.. your AppId, Name, etc.). You can get it from either the Azure Portal or apps.dev.microsoft.com (depending on where you registered your app). - Marc LaFleur
Is this enough? - Rui Rodrigues
Is this happening regardless of the AD tenant you attempt to authenticate against? I'm wondering if the AD tenant has disabled the "Users can consent to apps accessing company data on their behalf" option. - Marc LaFleur

2 Answers

1
votes

This occurs when the Azure AD instance/tenant has disabled "Users can consent to apps accessing company data on their behalf". This is a global User Setting in Azure AD:

enter image description here

When this option is set to No, user's will be blocked from executing the User Consent flow:

enter image description here

To get around this, an Admin will either need to consent on the User's behalf or they need to re-enable the User Consent option (this is the recommended solution, there are few rational reasons to entirely turn off User Consent).

0
votes

We wrote a detailed article dealing with the need admin approval issue, addressing the most common situations. I suspect the problem is addressed in the first section, and your IT admin needs to allow users to request access.