Error trying to access other tenant users calendars, using MS Graph API

Question

I have a node.js/express application. I am trying to use the Microsoft Graph API to fetch users' Calendars [read-only].

OAuth2 library for login: passport-microsoft npm module.

I followed the following steps in the Azure Portal:

Go to Active Directory
Click on App Registrations in the left pane
Click on New Registration and create an app
Go to the new app
Click on Authentication in the left panel and add redirect URI's
Go to API Permissions and enable the following :

a. Delegated: Calendars.Read, Calendars.Read.Shared, profile
Provide Admin Consent for all the permissions that require it.

However, only users who belong to my azure organisation, under which I have registered my web application, are able to login.

Other organisation users are unable to login. I get the following error message:

2019-11-11 10:16:35 default[20191109t101750]  InternalOAuthError: failed to fetch user profile
2019-11-11 10:16:35 default[20191109t101750]      at /srv/node_modules/passport-microsoft/lib/strategy.js:86:29
2019-11-11 10:16:35 default[20191109t101750]      at passBackControl (/srv/node_modules/oauth/lib/oauth2.js:132:9)
2019-11-11 10:16:35 default[20191109t101750]      at IncomingMessage.<anonymous> (/srv/node_modules/oauth/lib/oauth2.js:157:7)
2019-11-11 10:16:35 default[20191109t101750]      at IncomingMessage.emit (events.js:203:15)
2019-11-11 10:16:35 default[20191109t101750]      at IncomingMessage.EventEmitter.emit (domain.js:466:23)
2019-11-11 10:16:35 default[20191109t101750]      at endReadableNT (_stream_readable.js:1145:12)
2019-11-11 10:16:35 default[20191109t101750]      at process._tickCallback (internal/process/next_tick.js:63:19)

You can read my previous question for reference here

Your app needs to allow other organizations to log in by making it multi-tenant. — juunas, Nov 09 '19 at 15:56
I have added the steps I am following, and the error message I am getting. Please let me know if I can provide more information — vasu014, Nov 11 '19 at 10:18
Also. The application has been registered as Multi-Tenant from the beginning — vasu014, Nov 11 '19 at 10:23

score 1 · Accepted Answer · answered Nov 12 '19 at 06:43

1

Registering the app as Multi-Tenant and doing the admin consent for your own tenant is not enough.

You need to do the admin consent for this Multi-Tenant Azure AD app against the other tenants.

To grant admin consent through a URL request:

Construct a request to login.microsoftonline.com with your app configurations and append on &prompt=admin_consent.

This URL will look like: https://login.microsoftonline.com/<tenant-id of other tenant>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<redirect URI>&nonce=1234&resource=https://graph.microsoft.com&prompt=admin_consent

After signing in with admin credentials of other tenant, the app has been granted consent for all users in that tenant.

answered Nov 12 '19 at 06:43

Allen Wu

15,529
1
9
20

So this process will have to be done for all tenants that want to use this application ? Once this app goes to production, and we have a new tenant as a user, what's a good way to implement this ? The admin consent, that is – vasu014 Nov 12 '19 at 07:02
Also, the application will be hosted on GCP, just using the AD App Registration for using Microsoft Graph API – vasu014 Nov 12 '19 at 07:10
1

Yes. You need to do admin consent for each other tenant who wants to use your Azure AD app. You can generate the request in your web app, and make the admin of the new tenant to log in to do the admin consent when they begin. – Allen Wu Nov 12 '19 at 07:31
Cool. Thanks for the advice Allen. I'll try this out today and update here. – vasu014 Nov 12 '19 at 07:32
I need to implement this in a way, where I do not need an Admin approval before other users can start accessing the product. Just like Google Login – vasu014 Nov 25 '19 at 07:31
What you want to achieve is against the Azure AD authentication strategy. Before users from your own tenant can access the data, you need to do the admin consent on Azure portal (by clicking on "Grant admin consent for {your tenant}"). How can other tenants' users accessing the data without the admin consent for their tenants? Even if the Azure AD app is registered in their own tenant, they will need to do admin consent. – Allen Wu Nov 25 '19 at 07:42
Hmm. Yes. That's a valid point. But then how are apps like Calendly providing office365/outlook logins without needing an admin consent ? Are they using a different mechanism ? – vasu014 Nov 25 '19 at 08:03

score 0 · Answer 2 · answered Mar 19 '20 at 21:29

The older version of admin consent was not working for me.

Now URL for admin consent looks like this:

https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}

This worked for me well. The new version is described in Grant tenant-wide admin consent to an application

Error trying to access other tenant users calendars, using MS Graph API

2 Answers2

Linked