Microsoft Graph Admin Consent Flow Doesn't Contain Refresh Token

4
votes

Is it possible to get refresh token also in the admin consent flow? I've received access_token but not refresh_token even though I've included the offline_access permission in the delegated permissions.

to be more clear: I need to get to the users drive files (i.e get/update files) of the entire tenant (organization). therefore i'm requesting Application Permissions and Using the admin consent endpoint.
therefore I use the client_credentials grant in order to get the entire tenant access_token but unfortunately with no refresh_token in order to extend time of privileges of the tenant for more then 1 hour.

  • if i misuse the protocols above clarification will be highly appreciated
2
azure-active-directorymicrosoft-graph-api

2 Answers

0
votes

Refresh Tokens are only returned when both offline_access is requested and you are using the Authorization Code Grant.

More importantly, if you are receiving an access_token then you are not executing the Admin Consent workflow. Administrative Consent is only used for consenting to your application's scopes. The Admin Consent response does not contain an access_token, it only contains the Tenant ID (for the tenant that was consented) and a boolean that tells you if consent was granted as query parameters:

 http://{return_uri}/?tenant=[tenant id]&admin_consent=[True/False]

If you are receiving an access_token then you are using either the Authorization Code, Client Credentials, or Implicit grants.

UPDATE:

There is no refresh token issued for Client Credentials, you simply request a new token from the /token endpoint as needed.

0
votes

While Marc's answer is correct, I think the whole thing can be explained in a little more detail:

To get full access to a tenant (i.e. not just resources associated with the current consenting user), then you need to use the Admin Consent flow. However, unlike other flows in Graph's OAuth, you do not require a refresh_token to maintain access. Instead, you can simply request an access_token at any time once an admin has consented. Each access_token lasts 60 minutes.

Having first used other flows such as the Management API and Graph's Code Grant flow, this one confused me, but it's actually even simpler than those.

To get consent, simply direct the admin to the following URL:

https://login.microsoftonline.com/[Their Tenant ID]/adminconsent?client_id=[Your Client ID]&redirect_uri=[Your Redirect URI]

Your redirect URI will get a response with params:

?admin_consent=True&tenant=[Their Tenant ID]

Once you've received this confirmation, you can request an access_token at any time by sending a POST request with the following form fields:

client_id: [Your Client ID],
client_secret: [Your Client Secret],
scope: 'https://graph.microsoft.com/.default',
grant_type: 'client_credentials'

To the following URI:

https://login.microsoftonline.com/[Their Tenant ID]/oauth2/v2.0/token

The response will contain a new 60 minute access_token and you can simply call it again whenever required.