1

I am going to consent only specific admin permissions in graph api.

But it requests all tenant permissions.

Current logic is

  1. Get delegated token by authorization.

    https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize?client_id={CLIENT_ID}&response_type=token&redirect_uri={LOGIN_REDIRECT_URI}&response_mode=form_post&scope=offline_access https://graph.microsoft.com/.default

  2. Prompt admin consent

    https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id={CLIENT_ID}&redirect_uri=http://localhost/team-members/getAppToken&scope=https://graph.microsoft.com/calendars.readwrite

  3. Get application token

    https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token?scope=https://graph.microsoft.com/calendars.readwrite

In this logic, admin consent is always asked all permissions in 2), but I want to ask only the permission Calendars.ReadWrite.

enter image description here

How to ask to consent for a specific permissions?

hotcakedev
  • 2,194
  • 1
  • 25
  • 47

2 Answers2

0

If you login to Azure portal and find your application

https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps

Click on API Permissions tab

enter image description here

You will see all configured permissions for Microsoft Graph API.

Ensure that there is only Calendars.ReadWrite by removing all redundant permissions.

user2250152
  • 14,658
  • 4
  • 33
  • 57
  • Lol, Thanks, you mean scope won't work in adminconsent uri? – hotcakedev Jan 26 '21 at 21:13
  • As you know, regarding documentation, it says `scope=` will prompt the scopes, and `scope=https://graph.microsoft.com/.default` will prompt all permissions in the tenant, right? – hotcakedev Jan 26 '21 at 21:15
0

This is related to your permission type. If your permission is a delegated permission, you can dynamically agree to a specific delegated permission on the administrator consent page: scope=https://graph.microsoft.com/calendars.readwrite.

If your permissions are application permissions, you can only request the static /.default scope, which will require the administrator to consent to all permissions in the tenant: scope=https://graph.microsoft.com/.default.

See the document, there are detailed instructions:

At this point, Azure AD requires a tenant administrator to sign in to complete the request. The administrator is asked to approve all the permissions that you have requested in the scope parameter. If you've used a static (/.default) value, it will function like the v1.0 admin consent endpoint and request consent for all scopes found in the required permissions (both user and app). In order to request app permissions, you must use the /.default value. If you don't want admins to see a given permission in the admin consent screen all the time when you use /.default, the best practice is to not put the permission in the required permissions section. Instead you can use dynamic consent to add the permissions you want to be in the consent screen at run time, rather than using /.default.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Thanks for your answering to my question, then I can't request the specific permissions for application permission type, right? – hotcakedev Jan 27 '21 at 03:38
  • @hotcakedev Yes! – Carl Zhao Jan 27 '21 at 06:08
  • Can you help to to solve this issue as well? https://stackoverflow.com/questions/67293271/deleting-an-event-returns-success-but-not-worked-actually?noredirect=1#comment118946486_67293271 – hotcakedev Apr 28 '21 at 08:49