Microsoft graph api: Token does not contain permissions even after obtaining admin consent

0
votes

Using graph api,

  1. created an app
  2. updated its permission to include domain.read.all

After that, i ask admin to provide consent using https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=myid&redirect_uri=redirecturl&state=state1234&scope=https://graph.microsoft.com/.default

Once i get the consent from admin, response is sent to my redirect endpoint where i try to fetch token which some times does not contain the permissions required.

Does microsoft take time to reflect the app-update changes made by graph api? If yes, how much time it would take? Is there any configuration option available to apply changes immediatly without delay?

2
azureazure-active-directorymicrosoft-graph-apioffice365
Do you first grant permissions and get the administrator's consent, and then request the token? How long is it delayed?Carl Zhao
@CarlZhao, 1. After updating the app using graph api, if admin takes enough time to consent then token does have the required permissions. If admin approves immediatly, then token does not have required permissions. 2. After consent, redirect endpoint parses the query params and call token endpoint immedialty without any delaybhanu7k

2 Answers

0
votes

Although I think it is normal to have a short delay, based on your concerns, you can make your suggestions to Microsoft.

0
votes

It can be one of the following reasons:

  1. If the app is in an other tenant then the tenant you’re granting it in, you should remove the application from enterprise applications before granting it again.
  2. If the app registration is in the same app, you can try to re-login to get a fresh token.
  3. Just have some patients, usually planning which permissions you need and granting them in a third party tenant isn’t a proces you will likely finish in 5 minutes.