Search code examples
azuremicrosoft-graph-api

How to add new Microsoft Graph scopes to existing client with existing admin consents

I have a client in Azure which uses Microsoft Graph APIs to access data in multiple other tenants with scope Users.Read. This client has admin consent for this scope from those tenants.

Now I want to add a new scope to this client to use additional APIs for new functionality, let's say I need scope Place.Read. I understand that this scope will not be granted for tenants unless a new admin consent is given to include this scope. But will it work to add this new scope without affecting existing admin consents for Users.Read scope?

How do I add this new scope so that tenant admins who wish to give admin consent to my client for granting also Place.Read may do so; while those who don't do anything still give access to Users.Read scope?

I am not very used to working with Azure AD, the existing setup was made by someone else ages ago, so any step by step help would be great. When I enter the client in Azure, I can see the scope and that it requires admin consent, but I cannot see how to add new requested scopes.

Solution

  • In TenantA I created Microsoft Entra multi-tenant application and granted User.Read permission:

    enter image description here

    And granted Admin consent and signed in with TenantB Global Admin account:

    https://login.microsoftonline.com/organizations/adminconsent?client_id=ClientID

    enter image description here

    Now in TenantB , the Enterprise application is created with User.Read permission granted:

    enter image description here

    In TenantA I granted Place.Read.All permission:

    enter image description here

    Note that: If you add the new scope in the TenantA (where the app resides) application and want to grant the same scope in other tenant, the other tenant global admin must grant admin consent again in order to reflect the new permissions added to the application. And this will not affect the old permissions granted.

    Now to add the Place.Read.All permission in TenantB grant admin consent again either via Portal or by the below URL:

    https://login.microsoftonline.com/organizations/adminconsent?client_id=ClientID

    enter image description here

    After refresh, you can see both the permissions granted to the TenantB application:

    enter image description here