I'm trying to create an iOS application that allows to read Office 365 user's email. So, I've created a multi-tendant Azure Active Directory Application and during OAuth authentication I request following scope: offline_access User.Read Mail.Read EWS.AccessAsUser.All.
Unfortunately when I try to log in as a non-admin Office 365 user, instead of showing permissions review dialog I get "%AppName% needs an administrator approval".
Could you please help me to figure out how could I avoid "Admin Approval Required" dialog?
Logging in via other email clients (I've tested Edison Mail) with the same scope and to the same account shows a grant dialog (no-one in the organisation has previously logged in to the app neither admin has previously approved it). If more details are needed I'll be happy to provide them!
Thank you in advance!
P.S. Leaving just offline_access User.Read in the scope actually shows grant dialog, but popular applications somehow can get all the required permissions at once...
Although the Mail.Read and EWS.AccessAsUser.All scopes do not require admin approval at the Graph API level, organisations can turn off the Office 365 user consent setting Let people in your organisation decide whether third-party apps can access their Office 365 information.
Security best practice recommends that this setting is turned off. If it is turned off one of two things will happen.
If admin consent workflow is enabled, then the user will get a form where they can submit a request for the app to be approved.
If admin consent workflow is not enabled, then they will see the "administrator approval required" message.
More information on user consent is available here
You will need to provide some guidance for users on getting their organisation to approve your app in the case where the user is unable to provide that consent themselves.
I am not sure why Edison Mail is working, although it is possible that its app registration has been whitelisted by Microsoft; I don't have access to the Office 365 admin portal to confirm.
Related
As of now, I have created an application that has certain permissions to access Mail Information of certain users in an organization. Till this point, admin from the organization would create the service and provide the credentials.
However, as a plan to scale the application to multiple organizations, I'd like to send a mail to admin to grant access for the permissions and automatically get the credentials.
I'm open to alternative ideas. Any ideas if the above is even feasible?
This is quite impossible to automate the complete process creating, and admin still need to approve the permission in Azure AD. What you can do here is ,just create the application and if user tries to access the app but they can't give consent ,they need to trigger a request for admin approval that can be sent by an email .
To allows admin consent request to be sent via email Configure the admin consent workflow , please follow the docs - Azure AD | Microsoft Docs
Hope that process will help you .
After clicking on "authorize using your own account" and logged in with my work account (I'm a Microsoft employee, so I meant my Microsoft email), I got the error "OAuth Sandbox needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."
I have contacted Microsoft IT, but they told me to contact the app owner here. Here is the details:
Request Id: 6462a541-01d1-4899-84f9-6b77c3423200
Correlation Id: 9e8d35bd-f719-4422-ab97-941680b32b58
Timestamp: 2019-01-25T00:40:25Z
Message: AADSTS900941: An administrator of Microsoft has set a policy that prevents you from granting OAuth Sandbox the permissions it is requesting. Contact an administrator of Microsoft who can grant permissions to this application on your behalf.
Advanced diagnostics: Disable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
I believe Microsoft IT is asking you to reach out to the app owner on stackoverflow.microsoft.com, not on the public stackoverflow site. You should delete this message.
You need to find the owner of that page, presumably the outlook team, and have them request Microsoft IT allow their AAD AppId 32613fc5-e7ac-4894-ac94-fbc39c9f3e4a.
My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant
I've a web app which access Microsoft Graph API which authenticate the user using Azure v2.0. Both Personnel User account and Organisational user can provide the user consent and access the app. Organisational user can remove the consent by going to myapp.microsoft.com however Personnel user are not able to see the consented app in myapps.microsoft.com
So how can personnel user remove the consent to the application ?
Thanks,
Himal
Users with personal Microsoft accounts (Hotmail, live, outlook.com, etc.) can revoke apps at https://account.microsoft.com/privacy/. If you click on Apps and services that can access your data, you'll see a list of all the apps you've consented to and you can revoke them there as well.
For example, I test the Graph explorer app with a live.com account. I can review the permissions it uses and revoke the application if necessary.
So, basically I have a multi-tenant App that makes numerous calls to Graph API. The problem is with the call to assign license to a user - POST /users/{id | userPrincipalName}/assignLicense.
In the Azure App registration portal , in the permissions section, I have given all the delegated permissions under Azure AD and Graph API.
Permissions Assigned screenshot.
Then, I made an global admin consent to this app for all the users in the organization using admin consent flow through the link such as below :-
https://login.microsoftonline.com/common/oauth2/authorize?client_id=ffa835f3-417f-415c-b8f5-6f8833f93901&response_type=code&redirect_uri=http%3a%2f%2flocalhost%3a8910%2f&nonce=1234&resource=https://graph.microsoft.com&prompt=admin_consent
The admin consent was successful which means that all users from this directory have been authorized.
Now, when I log to my multi-tenant application through a global admin, the call to assignLicense endpoint is a success which means my code is working well.
However, when a non Global Admin logs in to the application , he is able to login too ( due to the consent given above ) but when I call is made to the graph api to AssignLicense, I get a 403 Forbidden error.
I am not able to understand what should I do to get rid of this error.
This looks like an effective permissions issue. From https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
For Delegated permissions, the effective permissions of your app will
be the least privileged intersection of the Delegated permissions the
app has been granted (via consent) and the privileges of the currently
signed-in user. Your app can never have more privileges than the
signed-in user. Within organizations, the privileges of the signed-in
user may be determined by policy or by membership in one or more
administrator roles. For more information about administrator roles,
see Assigning administrator roles in Azure Active Directory.
For example, assume your app has been granted the User.ReadWrite.All
Delegated permission. This permission nominally grants your app
permission to read and update the profile of every user in an
organization. If the signed-in user is a global administrator, your
app will be able to update the profile of every user in the
organization. However, if the signed-in user is not in an
administrator role, your app will be able to update only the profile
of the signed-in user. It will not be able to update the profiles of
other users in the organization because the user that it has
permission to act on behalf of does not have those privileges.