Question 105412 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Graph API permission for non-admin

I’d like to give some Graph API permission to a non-admin user Bob, so that it is able to read some data without requiring the admin consent.

If I give the admin consent here every permission is given to each user, but I want to give only a subset of permissions to Bob.
enter image description here

So I:

  1. Registred a new application
  2. Set the Graph Explorer permissions I am interested in to the App (both as delegated and as application)
    enter image description here
  3. Granted administrator consent to such permissions
    enter image description here
  4. Assigned the application to Bob

But still, after logging in as Bob, the graph explorer tells me that I don’t have the required permissions to (for example) list all the users in the organization.

Any help is highly appreciated!

Tags:

2

Answers


  1. 0

    The Graph Explorer uses what Microsoft calls, step-up consent. Meaning the token it requests (and the user consents to) are configured at runtime.

    So if you approved some permissions, you can ask Bob to change the permissions it’s requesting for him in the graph explorer.
    Bob will then be presented with a new consent screen, once he presses Ok (not sure what the button says…). Bob will be given a new token, and you should be able to see that in the User Consent tab in the portal.

    It also helps to copy the token and paste it at https://jwt.ms which allows an easy overview of all claims (including scopes) in the token.

    Login or Signup to reply.
  2. 0

    I tried to reproduce the same in my environment and got the below results:

    I registered an Azure AD Application and granted specific API permissions required to list users like below:

    enter image description here

    I created a non-admin user Bob and assigned the application like below:

    enter image description here

    I tried to list the users via Microsoft Graph Explorer using below query logged in as Bob and got the same error:

    enter image description here

    Please note that, even if you granted admin consent in the Azure Portal, it won’t reflect in Graph Explorer. So, you have to consent separately in Graph Explorer for Bob.

    Go to Modify permissions -> User.ReadBasic.All -> Consent-> Accept

    enter image description here

    I got the response successfully after granting the consent like below:

    enter image description here

    In your scenario, if Bob is unable to request them without the admin consent then try to modify the settings like below:

    Go to Azure Portal -> Azure Active Directory -> Enterprise Application -> Consent and Permissions -> User consent settings

    enter image description here

    Make sure to grant consent in Microsoft Graph Explorer based on the query by clicking on Modify permissions tab.

    References:

    List users – Microsoft Graph v1.0 | Microsoft Docs

    Overview of consent and permissions | Microsoft Docs

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search