I need to get the list of members and owners from a team in Microsoft Teams. So far I've been doing it using GET /groups/{id}/owners method with Graph API. But to use it, it requires Group.Read.All permission which needs an admin consent.
Is there any other way to get team owners that don't require the use of an admin only permission?
No. No matter which type of permission (application permission or delegated permission) you are using, Group.Read.All is necessary.
And both application permission and delegated permission are requiring admin consent. There is no other way to bypass admin consent.
See details from List owners Permissions.
Related
i'm trying since 3 days to grant admin consent of application permissions in an azure b2c tenant for an enterprise application.
The App is registered in my main-tenant with all its delegated and application type permissions, which are granted tenant-wide. The main-tenant also has an entry in its enterprise applications where i can see the same permissions.
I dont know how to add the app in my side-tenant without publishing it to the MS store. So i simply login my app with a side-tenant-account. (I dont know if its the correct way?)
After the login i have an entry in my enterprise applications of my side-tenant, but without the permissions i need?
Now here is my question: How can i grant the permissions i need for all users in my side-tenant?
I already tried this Url: https://login.microsoftonline.com/{tenantID}/adminconsent?client_id={clientID}&scope=/.default&redirect_uri=xxx
For my main-tenant it works as expected, maybe because it has the application registration, which is missing in my side-tenant.
When i try it with my side-tenant, i'm getting this error:
Acess_denied: AADSTS650054 The application XXXX asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor.
What is likely happening here is that you have configured your app to request access to at least one API which has no representation in "side-tenant" (the API called "LegacyAPI", for example). That's why the error message mentions the "resource that has been removed or is no longer available".
For consent to succeed, all of the resource services (i.e. the APIs) the app is requesting access to must exist in the tenant where consent is being granted. (A service principal object needs to exist.)
You have two options here:
Grant consent to the missing resource services in "side-tenant" (e.g. via the admin consent URL)
Manually create a service principal for the missing resource service in "side-tenant" (e.g. New-AzureADServicePrincipal -AppId "{resource-app-id}")
Not related to your issue, but related to the admin consent URL:
For what you're trying to do, there are three ways to construct the admin consent URL, one using the older v1 endpoint, and two using the newer (recommended) v2 endpoint. In your admin consent URL, you are using the v1 endpoint, but you are including the scope parameter (which is only used in the v2 endpoint).
v2 (recommended)
For all permissions configured in the app registration, revoke any other permissions that were granted tenant-wide (static):
https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent
?client_id={client-id}
&scope=.default
&redirect_uri={redirect-url}
For the delegated permission User.Read for Microsoft Graph, don't revoke other permissions which were already granted tenant-wide (dynamic, incremental):
https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent
?client_id={client-id}
&scope=https://graph.microsoft.com/User.Read
&redirect_uri={redirect-url}
v1 (supported, not recommended)
For all permissions configured in the app registration, revoke any other permissions that were granted tenant-wide (static):
https://login.microsoftonline.com/{tenant-id}/adminconsent
?client_id={client-id}
&redirect_uri={redirect-url}
Reference: https://learn.microsoft.com/azure/active-directory/develop/v2-admin-consent
https://graph.microsoft.com/v1.0/me/sendMail
I am trying to call sendMail in graph and received error:
Graph explorer (official site) needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
I understand that I need to ask an admin, but I don't know who to ask or what the procedure is like. My tenant is "Microsoft"
Thanks for any input!
The application requires one or more permissions which only Global Admin can consent for. There are some permissions for which standard users can provide consent but if the application needs high-level permission with which any changes can be made to the directory, the above message is displayed and only the Global Administrator can consent to those permissions.
So you would need to contact Global Administrator to provide consent. for microsoft.com tenant, you can open a request here. Please refer to a similar question it may help you
You have granted the application permission without the admin consent. The easiest way is to redirect the user to the administrator consent endpoint, then log in with the administrator account, and click the Accept button to grant the administrator consent for your application.
You need to request the URL in your browser:
https://login.microsoftonline.com/{tenant_id}/adminconsent?client_id={client_id}
My AD tenant has user consent disabled, i.e., all permissions added to AD app registration need an admin consent.
For an application using static permissions/scopes (v1.0 OAuth/OpenId endpoint), is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Microsoft docs say: "The app needs to know all of the resources it would ever access ahead of time. It was difficult to create apps that could access an arbitrary number of resources." Does it mean that for my scenario, all users need to wait for admin consent before they can access the app?
I receive the below error when a user tries logging in to the app using the Open ID Connect flow. For reference, my login URL is similar to https://login.microsoftonline.com/{tenant}/oauth2/authorize?response_type=id_token&client_id=b8ad6a99-cd23-40a6-a1b4-1184af990aa2&redirect_uri=https%3A%2F%2Flocalhost%2F&state=13ccfb84-cfd1-4cb0-bfe3-bb2c227e19f7&client-request-id=4d76947a-0000-48af-aeff-7bc2d5e40000&x-client-SKU=Js&x-client-Ver=1.0.17&nonce=ef1caa16-d3fe-4523-a9c9-000000000000
is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Yes, you can.
When the admin consent the API permission of an AD App(App registration), the permissions essentially will be given to the service principal(Enterprise application) in your AAD tenant. Actually if you use the AD App in your tenant, the permissions are essentially from the service principal.
You could refer to the screenshot below, there are four permissions, the two permission has been granted.
Navigate to the Overview, click the option Manage application in local directory.
Then in the Permissions, you will find the two permissions which have been consent.
When you add the new scopes, the app will keep working, but it will only be able to access the old scopes until the admin consents to the new scopes.
Thanks!
Alex Simons
I am trying to read and write Birthday and Hiredate user properties using Microsoft graph API. I configured below app and delegated permissions.
I am getting access denied error as a normal user but working for azure admin.
Delegate
User.Read, User.ReadBasic.All, User.ReadWrite, Directory.AccessAsUser.All (admin only), Directory.Read.All (admin only), Directory.ReadWrite.All (admin only),User.Read.All (admin only),User.ReadWrite.All (admin only),
App
Directory.Read.All,Directory.ReadWriteAll (admin only),User.Read.All (admin only),User.ReadWrite.All (admin only)
Please help me which permissions needed for the app to read and write birthday and hire day properties for normal users.
You cannot have both Application and Delegated scopes active within the same token. Which are used are entirely based on the OAuth Grant you've used to obtain the token. You might find this article helpful: Application vs Delegated Scopes.
You've also chosen several scopes that require Admin Consent before they can be used within a tenant. Until you've obtained this consent, normal user's will not be able to authenticate. You might find this article helpful: v2 Endpoint & Admin Consent.
In terms of scopes, in order to read a user's profile (which holds those properties), you should only need User.Read. You can, and should, remove all of the other scopes you're requesting. When it comes to permission scopes, more is never better.
Note: both of the articles I mentioned above were written by me. Also, while they deal with the v2 Endpoint, the concepts in them apply to both AAD v1 and v2 OAuth endpoints
I am trying to develop an web application using angular 4, java ee and wildfly. I am planning on using keycloak as IDM. I researched and found that we can provide roles to user but what I couldn't find is if it provides the feature to exclude some privilege from admin role.
For example: I want to provide user with admin role all the privileges except one, so I want to exclude the privilege from that admin.
Is it possible using keycloak? If not, can anyone suggest any other IDM matching this requirement?
No, you cannot change the privileges of admin role. Yes, you can use Keycloak.
From http://www.keycloak.org/docs/latest/server_admin/topics/admin-console-permissions/fine-grain.html
Fine grain permissions are used to grant additional permissions. You cannot override the default behavior of the built in admin roles.
I think you still can achieve want you want with Keycloak's flexible administrative role and permission management. Just not exactly in the way you think it should be done.
Don't give your administration user the role admin, but some of the more restrictive roles of client realm-management (e.g. view-realm, manage-users).