Microsoft Graph API Permissions for non-admins?

Question

I am trying to create a dropdown with all the users in my Office365 tenant. I created an app in Azure AD and gave it all the necessary permissions. I gave it all the permissions for Microsoft Graph actually, app and delegated. All of them.

Then I wrote up my script to query all users with https://graph.microsoft.com/v1.0/users.

I had my tenant admin go in and accept the permissions then output the list of users in the UI. Works fine for the admin

I'm not an admin but when I go to the page I get the following error:

This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

I need to know if this will work for users with even lower permissions. From what I understand the API request and the App is running under the permissions given to the application in Azure. So even if the user as Read Only, the request isn't running under the user, it's running under the Application I set up. So why would I get the error regarding permissions?

This is the code I'm using:

(function () {
  "use strict";
  // Some samples will use the tenant name here like "tenant.onmicrosoft.com"
  // I prefer to user the subscription Id
  var subscriptionId = "metenant.onmicrosoft.com";
  // Copy the client ID of your AAD app here once you have registered one, configured the required permissions, and
  // allowed implicit flow https://msdn.microsoft.com/en-us/office/office365/howto/get-started-with-office-365-unified-api
  var clientId = "cccb1f2f-xxx-x-xxxxx-x-x-x-x-x-";

  window.config = {
    // subscriptionId: subscriptionId,
    clientId: clientId,
    postLogoutRedirectUri: window.location.origin,
    endpoints: {
      graphApiUri: 'https://graph.microsoft.com'
    },
    cacheLocation: 'localStorage' // enable this for IE, as sessionStorage does not work for localhost.
  };

  var authContext = new AuthenticationContext(config);

  // Check For & Handle Redirect From AAD After Login
  var isCallback = authContext.isCallback(window.location.hash);
  authContext.handleWindowCallback();

  if (isCallback && !authContext.getLoginError()) {
    window.location = authContext._getItem(authContext.CONSTANTS.STORAGE.LOGIN_REQUEST);
  }

  // If not logged in force login
  var user = authContext.getCachedUser();
  // NOTE: you may want to render the page for anonymous users and render
  // a login button which runs the login function upon click.
  if (!user) authContext.login();

  // Acquire token for Files resource.
  authContext.acquireToken(config.endpoints.graphApiUri, function (error, token) {
    // Handle ADAL Errors.
    if (error || !token) {
      console.log('ADAL error occurred: ' + error);
      return;
    }
    // Execute GET request to Files API.
    var filesUri = config.endpoints.graphApiUri + "/v1.0/users";
    $.ajax({
      type: "GET",
      url: filesUri,
      headers: {
        'Authorization': 'Bearer ' + token,
      }
    }).done(function (response) {
      console.log('Successfully fetched from Graph.');
      console.log(response);

      var container = $(".container")

      container.empty();

      $.each(response.value, function(index, item) {
        container.append($('<li>').text(item.displayName + " " + item.mail + " " + item.mobilePhone))
      })
    }).fail(function (response) {
      var err = JSON.parse(response.responseText)
      console.log('Failed:', err.error.message);
    });
  });
})();

Answer 1

There are two kinds of permission/scope for Microsoft Graph. One is that require administrator’s consent. The other is not required.

What’s the permission you were config for this app? To list the users without administrator’s consent, we can use the scope User.ReadBasic.All like figure below:

You can get more detail about the permission/scope from here.

Modify:

At present, the adal.js doesn’t provide the admin consent. If you want to use this feature, you can modify the code to add a prameter like below:

AuthenticationContext.prototype.login = function (prompt) {
// Token is not present and user needs to login
var expectedState = this._guid();
this.config.state = expectedState;
this._idTokenNonce = this._guid();
this._logstatus('Expected state: ' + expectedState + ' startPage:' + window.location);
this._saveItem(this.CONSTANTS.STORAGE.LOGIN_REQUEST, window.location);
this._saveItem(this.CONSTANTS.STORAGE.LOGIN_ERROR, '');
this._saveItem(this.CONSTANTS.STORAGE.STATE_LOGIN, expectedState);
this._saveItem(this.CONSTANTS.STORAGE.NONCE_IDTOKEN, this._idTokenNonce);
this._saveItem(this.CONSTANTS.STORAGE.FAILED_RENEW, '');
this._saveItem(this.CONSTANTS.STORAGE.ERROR, '');
this._saveItem(this.CONSTANTS.STORAGE.ERROR_DESCRIPTION, '');


var urlNavigate = this._getNavigateUrl('id_token', null) + '&nonce=' + encodeURIComponent(this._idTokenNonce);

if (prompt && prompt === "admin_consent") {
    urlNavigate = urlNavigate + "&prompt=admin_consent"
}


this.frameCallInProgress = false;
this._loginInProgress = true;
if (this.config.displayCall) {
    // User defined way of handling the navigation
    this.config.displayCall(urlNavigate);
} else {
    this.promptUser(urlNavigate);
}
// callback from redirected page will receive fragment. It needs to call oauth2Callback
};

And if you were using Angular, we also need to modify the adal-angular.js:

this.$get = ['$rootScope', '$window', '$q', '$location', '$timeout', function ($rootScope, $window, $q, $location, $timeout) {
... 
return {
                // public methods will be here that are accessible from Controller
                config: _adal.config,
                login: function (prompt) {
                _adal.login(prompt);
        },
...
}

Then we can provide two button for users login in. One button is for the users sign-in with themselves. And the other is for admin to give the consent for the organization. Here is the code redirect to the login page for the admin consent in the control of Angular:

$scope.login = function () {
     adalService.login("admin_consent");
};