Questions on microsoft azure portal app registration
I noticed that if i don't add delegated api permissions to my app registration and request explicit scopes during auth like 'File.ReadWrite' instead of the './default', if the user consents the app still works. I am confused because to some extent i expected this to not work, as the permissions were not allowed by admin in the app registration. Why does it work?
if i do use './default' and a new scope is added later by the admin, if the old scopes were granted and a user oauth is retriggered, it will not ask the user for consent again and instead generate a token with the old scopes only -- that is why i explicitly used option 1 but ran into the above caveat
Note that: If you explicitly request
File.ReadWritebut haven’t configured this permission in your app registration, Azure AD will throw an error.
- When you use a scope like
Files.ReadWrite, your app registration needs to include the corresponding permission.
I created a Microsoft Entra ID application, dint not grant any API permission except User.Read:
Now, I tried to use the below endpoint to authorize users:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=Files.ReadWrite
&state=12345
When I logged in as a user, I got the error:
When I tried to request explicit scopes which is not added to application that is Files.ReadWrite I got the error.
But a when I signed with Global Admin, I got the consent screen as Global admin can grant the permission on behalf of users:
If the Global admin clicks on `Consent on behalf of your organization':
The Files.ReadWrite API permission will be added under Other permissions granted for TenantName
Make sure to set user and consent settings as "Do not allow user consent"
And if the API permission is granted under other permissions granted, then the user will be able to explicitly call the permissions.
- The Global Admin consent on behalf of the organization is the key mechanism that makes your app work with permissions that were not initially configured in the app registration.
- If you use the
./defaultscope and new permissions are added later, users won't be asked for consent again once those permissions are granted by the Global Admin, as long as the user has an active token.
The issue you are facing is because, you have set the user and consent settings as "Allow user consent for apps":
And when I tried I got the user consent screen for the API permission which are not added to the app:
UPDATE PASTING PICTURES:
User consent screen:
API permissions:
Enterprise application:
Got consent screen as you:
To resolve the issue, you need to set user and consent settings as "Do not allow user consent" like this and After setting the consent settings as "Do not allow user consent" wait for 10-15 mins and then try again you will get error "Need admin approval"
For low impact of security you can add permissions in Permission classifications balde which permissions the user can consent:
Select "Allow user consent for apps from verified publishers, for selected permissions (Recommended)"
And select permissions for which the user can consent.
- Questions on microsoft azure portal app registration
- API Access to SharePoint Files/Lists via SharePoint REST, API & MSAL, using deamon/service account
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Id token in microsoft with ./Default scope
- Unattended authentication using Azure Active Directory- UserCredential not accepting username and password
- Assigning Roles to a Group and scoping that to an Admin Unit programatically in Entra
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token