Search code examples
c#azuresharepointmicrosoft-graph-apiazure-ad-graph-api

"Need admin approval" error when using "Sites.Selected" delegated permission for SharePoint document download

1I am using the "Sites.Selected" delegated permission scope to read files from SharePoint on behalf of the logged-in user. I have granted delegated read permission on a specific site to my Azure AD application, and I have also added the "Sites.Selected" permission to my Azure AD application. In theory, my application should be able to download documents for the signed-in user.

To generate a token, I am using the "Sites.Selected" scope, which I will then send to the Graph API to download the user's documents. However, when I attempt to log in, the Microsoft login page displays an error message stating that I need admin approval.

Could anyone please explain why I am encountering this "Need admin approval" error message when trying to log in to my application, despite having the necessary permissions?

enter image description here

Sample Code: https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2

Scope : Sites.Selected

enter image description here

Solution

  • I created a Microsoft Entra ID application and added API permissions same as you:

    enter image description here

    When I tried to download the file, I got the same error as you:

    enter image description here

    The error usually occurs if the admin consent is not granted to the API permissions which requires consent.

    • Or if User consent settings in the Enterprise application is set as "Do not allow user consent".

    Hence to resolve the error, either grant admin consent to the API permissions added to the application OR set User consent settings as "Allow user consent for apps" like below:

    Go to Enterprise applications -> Consent and permissions -> User consent settings

    enter image description here

    You can also select the "Allow user consent for apps from verified publishers, for selected permissions (Recommended)" option and set the required permissions.

    Now the user can consent for applications:

    enter image description here

    Now the user can consent for apps and call the API.

    The Sites.Selected API permission will allow access to only the selected sites which is set up like briefed in this blog by Patrick Rodgers.

    For sample, I tried to download the signed in user file by passing the item id.

    For this to work, I added Files.ReadWrite delegated API permission:

    string graphAPIEndpoint = "https://graph.microsoft.com/v1.0/me/drive/items/ItemID";
string[] scopes = new string[] { "Files.ReadWrite" };

    enter image description here

    Based on the API you are calling you need to add permission to the Microsoft Entra ID application.

    Reference:

    azure active directory - Microsoft Graph API - "Needs admin approval" when accessing Assignment API with non-admin accounts - Stack Overflow by me