Microsoft Graph API permissions changes not propagating using Azure Active Directory

1
votes

We used Azure AD to setup an app which allows gives trust/permissions to an MSGraph Office account. The permissions were not setup to allow the code to programmatically send a email on the users behalf when they sign up.

Some beta users started using the service. Then after some time we changed the permissions in Azure AD to give permissions to allow to send emails on behalf of the user.

Since then new users can send emails, but beta and older users still have not got these permissions. The token expiration I believe is set to 3 days and its been a lot longer than that. Is there a way to force the permissions to propagate to all users?

If not, is there somewhere where beta users can unsubscribe from the app (kind of like you can with playstore apps) and then reassign permissions when they login again?

1
azure-active-directorymicrosoft-graph-api
Not sure if it will help, but did you try the "Grant Permissions" button? It states: "Do you want to grant the permissions below for <API Name> for all accounts in current directory? This action will update any existing permissions this application already has to match what is listed below." It is right next to the "+ Add" permission button. - Wiz
@Wiz we granted permissions, everytime there was a change. Oddly the button does what it says, it says for "your account" however it grants to the application. Is there anyway I can goto say office.portal.com and unsubscribe from the app? Surely Microsoft must have provided users the ability to unlink their app/product from msgraph permissions if they wont want msgraph linked anymore? - User101
Not sure if this works with Azure AD or not, but I had this link saved in my notes: account.live.com/consent/Manage - Wiz

1 Answers

1
votes

I would expect this to have already occurred but, if it's taking too long, you can force the user to re-consent to the permision by adding prompt=consent to your inital OAuth URI:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?{parmas}&prompt=consent