Unable to acquire token to call microsoft graph api using angular

2
votes

I'm trying to acquire a token to call microsoft graph using angular to retrieve signed in user's profile picture. I am using the '@azure/msal-angular' library for authentication through azure AD. I have the API permissions setup for Microsoft Graph - User.Read in my application, however, I keep getting an error that my application needs access that only an admin can grant. My assumption is that I need to create a client secret but I'm not sure where to configure that in my code.

export const protectedResourceMap: [string, string[]][] =
    [
        ['https://graph.microsoft.com', ['User.Read']]
    ];

export const IdentityConfig: MsalConfig = {
    clientID: <clientid>,
    validateAuthority: true,
    protectedResourceMap: protectedResourceMap,
    consentScopes: ['User.Read'],
};

...
imports: [
    ...
    MsalModule.forRoot(IdentityConfig)
]
1
angularazure-active-directorymicrosoft-graph-apimsal
You definitely don't need a client secret since your app is a public client (that can't secure secrets). I haven't used the msal-angular module so I don't know exactly what is the problem :/ When do you get the error? Can you paste the error here?juunas
The error reads as follows: <user> Need admin approval <application> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it. Have an admin account? Sign in with that account Return to the application without granting consentuser6873144
Is this your test AAD tenant or your org's tenant? It's possible your admin has disabled user consent and require admin consent for everything.juunas
this is my org's tenant, how can I tell through the azure portal if it's been disabled?user6873144
That was it after all, admin didn't give user consent. Thank you!user6873144

1 Answers

0
votes

It's possible your admin has disabled user consent and require admin consent for everything.

This setting can be found in the Azure Portal (portal.azure.com) via Azure Active Directory -> Enterprise applications -> User settings.

User can consent to apps accessing company data on their behalf setting