Microsoft Graph - admin consent required for Sites.Read.All permission

1
votes

I'm playing with Microsoft Graph API via Graph explorer. I'm logged with my company account. According to the documentation, admin consent is not required for delegated permissions Sites.Read.All and Sites.ReadWrite.All.

enter image description here

But in Graph explorer I see that permission Sites.Read.All was not consented.

enter image description here

If I click on Consent button for Site.Read.All permission I will receive information that admin approval is needed.

enter image description here

Does it mean that I really need admin consent for Sites.Read.All permission or is something wrong in Graph API?

How can admin grant me the required approval?

Update

I have checked the user consent settings in Azure Portal and consent settings for applications allow user consent for apps from verified publishers, for selected permissions.

enter image description here

There are 4 permissions classified as low risk.

enter image description here

I will ask the admin to grant permissions I need or classify those permissions as low risks.

1
microsoft-graph-api
I have tried testing in my environment where the user doesn't have any roles and I didn't get any ask for admin consent.Shiva Keshav Varma

1 Answers

1
votes

Given the breadth and depth of AAD, the Graph documentation can't cover every configuration. As such, it generally assumes your tenant is using default configuration settings.

There are a number of reasons why you might need Admin Consent, but I suspect this is due to your tenant having customized the User Consent configuration. Specifically, that User Consent was disabled:

Disable user consent - Users cannot grant permissions to applications. Users can continue to sign in to apps they had previously consented to or which are consented to by administrators on their behalf, but they will not be allowed to consent to new permissions or to new apps on their own. Only users who have been granted a directory role that includes the permission to grant consent will be able to consent to new permissions or new apps.