Why some Microsoft Graph scopes request admin consent on some tenant and only user-delegated permission on other?

1
votes

My app is multi-tenant and registered in AAD to access sites with Sites.ReadWrite.All user delegated permission/scope.

In some tenants, OAuth token acquisition works great with user consent, as expected but with other tenants, like the Microsoft corporate tenant, Admin Consent is required.

Is it an undocumented behavior? Can an Admin add an explicit consent requirement on scopes?

Works on my tenant but not on microsoft.com tenant using a regular Microsoft user account.

1
azure-active-directorymicrosoft-graph-api
Hello @Marc, could you resolve your issue? I have -I think- the same problem. My Azure AD app seems to require admin consent on my trial Office 365 tenant. MailboxSettings.Read(Write) (non admin permission) seems to be the troublemaker. My app does however works on my personal Microsoft account. Strange thing is that MS Graph Explorer succeeds in requesting MailboxSettings.Read on my trial Office 365. Breaking my head on this magic... - bob
Admin consent seems to be required for more mail related permissions. E.g. Mail.Read also needs admin consent while Calendars.Read works... - bob
If you're using Client Credentials (i.e. Application rather than Delegated) then every scope requires Admin Consent. This is required given how extremely broad app-only permissions are. - Marc LaFleur
I'm aware of this and this is covered. It seems that I'm confronted with 'Risk-based Step-up consent'. I must triggered some actions and AD flagged my app -which is still in development- as 'risky'. Impact is that admin consent is then always required. I'm in contact with MS support to figure out what caused this. Just some fine-print in the docs and 1 blogpost, so it took me some time to figure it out. (docs.microsoft.com/en-us/azure/active-directory/manage-apps/…) Once confirmed I post it as a potential answer. - bob

1 Answers

1
votes

There is a setting in Azure AD that disables user consent.

The organizations where admin consent is required most likely have done that. So a scope that requires user consent normally becomes a scope that only admins can consent.

That's this one here:

Users can consent to apps accessing data on their behalf setting