We are developing an Office Add-in that authenticates with an organisational account to Azure AD. The Add-in needs administrative consent. So if an administrator is logged on, he should be guided to express his administrativ consent.
We are using OAuth to authenticate:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=<clientId>&redirect_uri=<redirectUri>
and we request admin consent by appending &prompt=admin_consent to that URL
Question 1. How can we test if that admin consent has already been successfully given, so we only need to ask the administrator to give consent if he didn't previously?
Question 2. How can we check if an updated version of the Add-in possibly now needs more permissions and inform users and administrator about that new requirements?
tl;dr
Yes, you can do this. You'll want to call this MS Graph endpoint, and inspect the oAuth2PermissionGrant object for the consentType field being set to AllPrincipals.
Some Background
Using the Microsoft Graph, you can identify if admin consent was granted. When Admin Consent is granted, there are OAuth2.0 permission grants written on the app.
Inside each permission grant, there's a field that indicates the permission level of the grant. For Admin Consent, you would be looking for AllPrincipals.
Detailed Steps
Wire up your app to call the Microsoft Graph. Make sure it's requesting all the required permissions to call the required endpoint. This is different in the case of a delegated (on behalf of the end user) or an app role.
App Role: Directory.Read.All & Directory.ReadWrite.All
Delegated Permission: Diretory.Read.All, Directory.ReadWrite.All, or Directory.AccessAsUser.All in order of least to most privileged.
Call the GET /oAuth2PermissionGrant endpoint of MS Graph.
This returns back an oAuth2PermissionGrant object with the details you're looking for.
Inspect the response for the consentType field. You may need to enumerate all the grants looking for the value AllPrincipals.
IMHO, the custom implementation would be a better choice for your usecase
The steps could be the following
User Logs in for the 1st time
Your App / Add-in checks the consent in the internal memory / db
No Consent will be found, which will redirect the user to the consent page in Azure AD
After the user approves of his admin access, we typically get the status in the response back from Azure AD like the one below,
GET http://localhost/myapp/permissions?tenant=a8990e1f-ff32-408a-9f8e-78d3b9139b95&state=12345&admin_consent=True
The App now stores the admin consent grant status in the DB.
In case in later point of time, the app / add-in needs more permissions, just flush out the stored value for the consent and the users so that the next login takes care to ensure that they agree to the new consent. The new consent request will be sending additional scopes to the AD which will in turn be shown to the user in the consent page.
In case of reading more about the steps, please click here
Related
I have a requirement to list a subset of my AAD users, identify the manager, and disable the user if the manager is already disabled.
My account has the 'User Administrator' and 'Global Reader' AAD roles.
This task is easy to accomplish using the AzureAD PowerShell cmdlets, however I want to transition to the Microsoft Graph cmdlets.
I understand that I need the scope User.Read.All so I execute the following command:
Connect-MgGraph -Scopes "User.Read.All"
When I log in via the web interface, I am shown a dialog stating that I need consent from an admin (which I understand to be a user with an AAD role of Global Administrator or Application Administrator).
In my tenant, under 'Enterprise Applications > User Consent Settings', the option 'Allow user consent for apps' is selected.
This seems like a step backwards to me. My user has the necessary permissions to perform the required actions, but because MS Graph uses an Enterprise App I need an administrator to grant consent.
My questions are:
Will the admin consent dialog appear every time I execute Connect-MgGraph with a given scope, or just the first time?
Is there a way to achieve my requirement without admin consent?
Question 1
Admin consent can be given in 2 contexts
On behalf of a specific user
On behalf of your organization (all users)
From the admin consent dialog box, which context it is corresponds to the checkbox Consent on behalf of your organization
If you do not give consent on behalf of the entire organization, the admin consent dialog will appear for each user, until consent has been granted either for that user, or the entire organization.
Question 2
There are 2 types of permissions
Delegated (aka Scope)
Application (aka Role)
All Application permissions require admin consent, and SOME delegated permissions require admin consent.
This document details which MS Graph permissions require admin consent, from the column Admin Consent Required
Microsoft Graph permissions reference
You can see that the User.Read.All delegated permission is one that does require admin consent
User.Read.All permission reference
There's no way around this without granting admin consent. This provides a way to control access to applications on a more granular level.
I have integrated microsoft teams in my project where a user can give us access to create meetings on teams on his/her behalf. But now I want to give the user a option to disconnect his/her account i.e. we will no longer be able to create meetings on user's behalf.
I am facing few problems in this flow:
I am unable to find an API where I can send request on user's behalf
to invalidate a access/refresh token.
If I remove the token stored at my end and then user again tries to connect their Microsoft account with our website it no longer asks for user's consent(which is basic requirement for OAuth) to give access to our app(if user is logged in Microsoft account on the browser he/she do not see the consent page and account is directly connected with our website and we get the refresh/access token).
Can someone help me on this?
At the end all what I want is when user tries again to connect his/her Microsoft account with our app he/she see the consent page(every time he tries to connect account) and then user clicks the allow button which will give us access and refresh token.
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
1)To invalidate access token on users behalf, Refer this DOC.
2)For fetching the access token using the refresh token please refer this DOC.
Hope this helpful.
An alternative solution for prompting the user to the consent page is just simply appending the prompt="consent" in the OAuth2 URI prameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=xxx&state=xxx&access_type=offline&prompt=consent
_____↑↑↑↑↑↑
Here you can find the documentation about the parameters.
I have a multi tenant app registered in Microsoft Active Directory that uses admin consent to gain access to some application scope APIs in the Microsoft Graph API. It uses the /token endpoint to get a token, then calls those Graph APIs. It's working perfectly.
https://learn.microsoft.com/en-us/graph/auth-v2-service#token-request
Now I want to enhance my app to access some delegated (user) scope APIs, that do not allow access at application scope. My app is already configured to request these delegated permissions from the admin at admin consent time. But I'd like to call these APIs as each user in the directory, not the admin who installed my app.
Importantly, it is not feasible for me to have every user in the organization individually go through the OAuth flow for my app.
Is that possible?
Can I impersonate a user somehow by exchanging my application token for a user token?
Can the admin do something programmatically to generate tokens as individual users for my app as if they had been put through an OAuth flow?
No, you cannot convert an Application token to a Delegated token. The only way to act as a specific User is for that User to "delegate" those activities to your application.
Note that Admin Consent only provides consent to your App to operate within a tenant. It is destinct from, not a superset of, User Consent. In order to obtain a Delegated token, you need to receive both User and Admin consent.
I am building an app where anybody in my organization can create planner task under a specified plan.
I am using Azure AD v2 endpoints for getting access token:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
And using that access token to make POST request to following endpoint:
https://graph.microsoft.com/v1.0/planner/tasks
I have registered my App on: https://apps.dev.microsoft.com
And given necessary delegated and application permissions EDIT: ie Group.ReadWrite.All
(along with many others)
I am(having admin rights) able to create planner tasks using the API calls but no one else in the organization can. User gets this error message:
Need admin approval
Planner Task App
Planner Task App needs permission to access resources in your organization that
only an admin can grant. Please ask an admin to grant permission to this
app before you can use it.
I know that this user account has required permissions (because when using graph explorer api calls with same account, it works) so the problem lies in App permissions.
Any help is highly appreciated.
EDIT:
Bearer token for Admin (where app successfully creates a planner task):
eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6MmtUREpfbzduN3lETXJvVzhkUjR1YWZVZ050OEctbmhuNm5HalpvN1p5SDNqNEl0a3E5N3lFX091cEI2eEdITVVpcWpfeFVkdkFWdmx2SVgtV3FlSmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiRlNpbXVGckZOb0Mwc0pYR212MTNuTlpjZURjIiwia2lkIjoiRlNpbXVGckZOb0Mwc0pYR212MTNuTlpjZURjIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9jZDc3NzI5NS0xN2IwLTQ0YjMtYjUxNC02YzJlMzE2ZjI5YzcvIiwiaWF0IjoxNTIzMzg5MjcwLCJuYmYiOjE1MjMzODkyNzAsImV4cCI6MTUyMzM5MzE3MCwiYWNyIjoiMSIsImFpbyI6IlkyTmdZTEQ2WUp2WDlEZlR4dTNLMUNVdTd4YWEzVkZNRnphd3NpN2NGTGplL01ianVjSUEiLCJhbXIiOlsicHdkIl0sImFwcF9kaXNwbGF5bmFtZSI6IlBsYW5uZXIgVGFzayBBcHAiLCJhcHBpZCI6IjQ4NzQ3NmM5LWM2OTctNDhhMC1hODViLWUzYjdkMTEyMTU0MyIsImFwcGlkYWNyIjoiMSIsImZhbWlseV9uYW1lIjoiUmFnaGF2IiwiZ2l2ZW5fbmFtZSI6Ik5pdGluIiwiaXBhZGRyIjoiNjcuNzEuMjI3LjE2MiIsIm5hbWUiOiJOaXRpbiBSYWdoYXYiLCJvaWQiOiJlN2JhOTVkNi1jMGIzLTQwYTEtOTU5MS0zOWYwN2YzZWZlMDUiLCJvbnByZW1fc2lkIjoiUy0xLTUtMjEtMTA2Mjg4Nzk2MS0zOTczMjgyMzc2LTE4NTU2ODk4MjEtMTQ3MSIsInBsYXRmIjoiMyIsInB1aWQiOiIxMDAzM0ZGRkE4MUEyMzBBIiwic2NwIjoiR3JvdXAuUmVhZC5BbGwgR3JvdXAuUmVhZFdyaXRlLkFsbCBNYWlsLlNlbmQgVGFza3MuUmVhZCBUYXNrcy5SZWFkLlNoYXJlZCBUYXNrcy5SZWFkV3JpdGUgVGFza3MuUmVhZFdyaXRlLlNoYXJlZCBVc2VyLlJlYWQgVXNlci5SZWFkLkFsbCIsInNpZ25pbl9zdGF0ZSI6WyJrbXNpIl0sInN1YiI6IjB6RkdKeVA5Ym8yeDdYdlNqRVNIbnkwUXZ1Ym03YTJsVXRLcHpoVEtzclEiLCJ0aWQiOiJjZDc3NzI5NS0xN2IwLTQ0YjMtYjUxNC02YzJlMzE2ZjI5YzciLCJ1bmlxdWVfbmFtZSI6Im5pdGluLnJhZ2hhdkBhbWZyZWRlcmlja3MuY29tIiwidXBuIjoibml0aW4ucmFnaGF2QGFtZnJlZGVyaWNrcy5jb20iLCJ1dGkiOiJOZlR1U2RyeFYwYVQzdlk0ckZwSkFBIiwidmVyIjoiMS4wIiwid2lkcyI6WyI2MmU5MDM5NC02OWY1LTQyMzctOTE5MC0wMTIxNzcxNDVlMTAiXX0.T50Ae8vFtdobi4GFHL4o-rqU9sbNYqhhV0KRcA7HYzUI-4M4Latma8kJ7ssqx4djdQigPnjJTCVOg9oFBXE_iSWRPbZbRGbfuvwj9iPePCtzCERZwWn0bHOltk0o0LFWW1UoplUsMJJgxoZyeMlruWBxOIQXOQxRnHlnmMLzU-Nwr2Ex87hAMnFPBN7uD9x7WIJtc3vO-sIecKLmwKgchfbI8vIXMOgs1DsVByWBljHSN-DJ9FwxklS_r-Hco9x6g5SPJ_gXfANL8KXXK51D1Xnc7TKd3IebnjermycCKw5t-ViNPlX0r-og4iKsT2oo_k1UTi5-TO2mMIKPXMjirQ
Even after Admin has given consent to the app using (https://login.microsoftonline.com/common/adminconsent?client_id=my-app-id&state=12345&redirect_uri=https://localhost/myapp), non-admin user gets this:
As you have mentioned that you are adding planner task not just reading data, you have to grant permission Group.ReadWrite.All accordingly. Please check the permission and confirm about this.
ref: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/planner_post_tasks
In order to use Group.ReadWrite.All you need the consent of a tenant Admin. To obtain this you need to have an Admin on the tenant execute the Admin Consent process.
I have a walkthrough that might help you here:
v2 Endpoint & Consent (explains the various consent workflows involved)
v2 Endpoint & Admin Consent (explains how to obtain Admin Consent)
I have created a native application in the Application Registration Portal at https://apps.dev.microsoft.com
I have configured an Xcode project based on the MSAL framework for iOS, and am able to consume data from MS Graph when only the user's consent is required (like User.ReadBasic.All)
However, if I want to access the User.Read.All scope, it doesn't work. I am met with the requirement for an admin to give access (as expected), but my administrator is not able to find the place to give the necessary permissions.
Logging in with administrator credentials when prompted for them in the webview 'grant access' screen (see screenshot below) doesn't work (redirects back to the same screen again, seemingly not accepting the admin credentials as admin credentials).
We are not sure whether that is the way to grant the application the permissions anyway, since the documentation is not explicit about how the admin can grant the necessary permissions.
We cannot find the place in Azure AD where the admin permission can be granted.
There is a lot of documentation about how to use the MSAL framework, but there seems to be that step missing.
After adding the microsoft graph permissions that your app requires in the application registration portal, you could manually request admin consent by redirecting to admin consent endpoint in browser:
GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
Please click here for more detail about admin consent endpoint .
For iOS the redirect URL needs to match the URL scheme registered in the app, which is msal{client-id}://auth if you used guided setup when creating the app on apps.dev.microsoft.com. It only works if you put the admin consent endpoint above into the browser on the phone where the app is installed, since otherwise there is nothing to redirect to.